Red Hat Bugzilla – Bug 580094
Suggested man-pages change for nsswitch.conf
Last modified: 2010-11-09 07:45:11 EST
Escalated to Bugzilla from IssueTracker
Event posted on 04-07-2010 09:14am EDT by kbaxley
The customer ran into a problem after updating to the latest version of nss_ldap in RHEL5.5:
At first it looked as if there was some sort of regression in the latest revision of
nss_ldap. The customer was getting reports from the field (approx. 125 affected
systems) that were using LDAP to distribute sudoers information using the
sudoers_base ou=SUDOers,dc=unix,dc=lanl,dc=gov directive.
got upgraded to the latest nss_ldap release ( nss_ldap-253-25.el5
the sudo functionality broke.
Cannot sudo when configured to use LDAP for sudoers information.
Attempt to use sudo responds with "User not in /etc/sudoers. This
incident will be reported." failure message.
User able to execute sudo without error.
Uninstall latest nss_ldap libraries and install previous version
(nss_ldap-253-22 for RHEL 5).
A later update from the customer found that this apparently was an undocumented change in behavior rather than a regression:
This is just a follow up on our saga with getting sudo back and working
on our systems. Turns out that I identified the wrong library as the
issue. We are now using all of the latest rel 5 updates with no
problems. The issue was that an entry in nsswitch.conf is required now.
We added the line (sudoers: files ldap) to cfengine and now we can sudo
again! BTW, we never found this in the documentation, just took a wild
guess and it worked.
Perhaps a clean up or updating of the documentation for nsswitch.conf is
This event sent from IssueTracker by kbaxley [LANL]
Our hosts were bitten by this as well. I finally found the documentation for this new behavior here:
but this change was not mentioned in any of the errata notes for sudo packages in RHN.
It appears to also be buried in the /usr/share/doc/sudo-1.7.2p1/sudoers.ldap.pod file, but that's not the first place that I would think to go spelunking.
The reference in the README.LDAP file states:
See the "Configuring nsswitch.conf" section in the sudoers.ldap manual for details.
I initially presumed that meant "man 5 sudoers.ldap" and looked for an installed man page with that information. It is certainly not mentioned in sudoers(5).
Perhaps the most sane thing is to incorporate running pod2man on that file during the RPM build to round out the documentation set where most admins will think to go looking for it. At initial glance, that is the only main documentation file that is not already installed in /usr/share/man.
BTW, This looks like it's the other side of the coin of 583644.
/usr/share/doc/sudo-1.7.2p1/sudoers.ldap.pod is part of sudo package, so reassigning to it.
Closing this as duplicate of #583644. Installation of the missing sudoers.ldap man-page will be solved as part of that bug. Sorry for the inconvenience.
*** This bug has been marked as a duplicate of bug 583644 ***