Bug 506945 - Can't get root level access rights from ldap
Can't get root level access rights from ldap
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: sudo (Show other bugs)
10
i386 Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Kopeček
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-06-19 09:00 EDT by Alex Bulatov
Modified: 2009-08-26 10:13 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-08-26 10:13:14 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Alex Bulatov 2009-06-19 09:00:55 EDT
Description of problem:

After last update does not work if sudo got information about access rights from ldap. In  ldap logs absolutely not have requests from client about sudo access for current user who try to run sudo. Client logs contain that  "user NOT in sudoers"

Version-Release number of selected component (if applicable):

1.7.1-2.fc10

How reproducible:

Try to run sudo

Steps to Reproduce:
1. Update sudo to version 1.7.1-2.fc10
2. sudo

  
Actual results:

2009-06-18T18:16:37.379646+04:00 host sudo: pam_krb5[31872]: authentication succeeds for 'user' (user@DOMAIN.ORG)
2009-06-18T18:16:37.437684+04:00 host sudo:    user : user NOT in sudoers ; TTY=pts/11 ; PWD=/home/user/ ; USER=root ; COMMAND=/bin/ls
Comment 1 Alex Bulatov 2009-06-19 09:03:52 EDT
If downgrade sudo to 1.6.9p17-2.fc10 it component work current
Comment 2 Daniel Kopeček 2009-06-22 10:04:42 EDT
Could you please test this http://koji.fedoraproject.org/koji/taskinfo?taskID=1429435 build?
Comment 3 Dmitrij S. Kryzhevich 2009-07-03 03:19:40 EDT
The same here, but F11 x86_64. Lates-notworking - sudo-1.7.1-2.fc11.x86_64 (Koji), working - sudo-1.6.9p17-6.fc11.x86_64.

How to get those rpms from link?
Comment 4 Dmitrij S. Kryzhevich 2009-07-09 12:34:51 EDT
sudo-1.7.1-4.fc11 from Koji still not working.
Comment 5 Dmitrij S. Kryzhevich 2009-07-26 04:33:25 EDT
Any news?
Comment 6 Daniel Kopeček 2009-08-25 07:57:12 EDT
Hi, sorry for the delay. I found this entry in the 1.7.0 vs. 1.6.9 ChangeLog. It may be related to your problem:

Support for /etc/nsswitch.conf. LDAP users may now use nsswitch.conf to specify the sudoers order. E.g.:

	    sudoers: ldap files
	
to check LDAP, then /etc/sudoers. The default is files, even when LDAP support is compiled in. This differs from sudo 1.6 where LDAP was always consulted first. 

Do you have this entry in /etc/nsswitch.conf?
Comment 7 Dmitrij S. Kryzhevich 2009-08-26 09:47:58 EDT
After string "sudoers: ldap files" added to /etc/nsswitch.conf sudo-1.7.1-4.fc11.x86_64 works fine for me now.
Thank you, Daniel.
Comment 8 Alex Bulatov 2009-08-26 09:59:22 EDT
(In reply to comment #6)
> Hi, sorry for the delay. I found this entry in the 1.7.0 vs. 1.6.9 ChangeLog.
> It may be related to your problem:
> 
> Support for /etc/nsswitch.conf. LDAP users may now use nsswitch.conf to specify
> the sudoers order. E.g.:
> 
>      sudoers: ldap files
> 
> to check LDAP, then /etc/sudoers. The default is files, even when LDAP support
> is compiled in. This differs from sudo 1.6 where LDAP was always consulted
> first. 
> 
> Do you have this entry in /etc/nsswitch.conf?  

No. Don't have.
After add this entry and upgrade to sudo-1.7.1-4.fc10.i386  all works fine!

Thanks!

Note You need to log in before you can comment on or make changes to this bug.