Hi,

 

I have configured sudoers in my environment. But when I try to execute a command using sudo, the commands fails to get executed saying “sysadmin is not in the sudoers file.  This incident will be reported.”

.

I am using sysadmin account as mentioned in the below sudoers ldif file.

 

login as: sysadmin

sysadmin@10.150.14.144's password:

Last login: Mon Aug 29 14:58:50 2011 from 10.150.10.158

 

Could not chdir to home directory /home/sysadmin: No such file or directory

-bash-3.2$ sudo ls

[sudo] password for sysadmin:

sysadmin is not in the sudoers file.  This incident will be reported.

-bash-3.2$ sudo -V

Sudo version 1.7.2p1

-bash-3.2$ sudo -l

[sudo] password for sysadmin:

Sorry, user sysadmin may not run sudo on devonly144.

-bash-3.2

 

 

On Server the sudoers file is

/etc/openldap/slapd.conf

include         /usr/share/openldap2.4/schema/sudo.schema

index       sudoUser        eq

 

/etc/openldap/ldap.conf

sudoers_base   ou=SUDOers,dc=comverse-in,dc=com

 

sudoers.ldif

# SUDOers, comverse-in.com

dn: ou=SUDOers,dc=comverse-in,dc=com

objectClass: top

objectClass: organizationalUnit

ou: SUDOers

 

dn: cn=defaults,ou=SUDOers,dc=comverse-in,dc=com

objectClass: top

objectClass: sudoRole

cn: defaults

description: Default sudoOption's go here

sudoOption: syslog=auth

 

dn: cn=root,ou=SUDOers,dc=comverse-in,dc=com

objectClass: top

objectClass: sudoRole

cn: root

sudoUser: root

sudoUser: sysadmin

sudoHost: ALL

sudoRunAsUser: ALL

sudoCommand: ALL

 

dn: cn=%wheel,ou=SUDOers,dc=comverse-in,dc=com

objectClass: top

objectClass: sudoRole

cn: %wheel

sudoUser: %wheel

sudoHost: ALL

sudoRunAsUser: ALL

sudoCommand: ALL

 

dn: cn=operator,ou=SUDOers,dc=comverse-in,dc=com

objectClass: top

objectClass: sudoRole

cn: operator

sudoUser: operator

sudoHost: ALL

sudoCommand: /usr/sbin/dump

sudoCommand: /usr/sbin/rdump

sudoCommand: /usr/sbin/restore

sudoCommand: /usr/sbin/rrestore

sudoCommand: /usr/bin/mt

sudoCommand: /usr/bin/kill

sudoCommand: /usr/sbin/shutdown

sudoCommand: /usr/sbin/halt

sudoCommand: /usr/sbin/reboot

sudoCommand: /usr/sbin/lpc

sudoCommand: /usr/bin/lprm

sudoCommand: sudoedit /etc/printcap

sudoCommand: /usr/oper/bin/

 

dn: cn=ALL,ou=SUDOers,dc=comverse-in,dc=com

objectClass: top

objectClass: sudoRole

cn: ALL

sudoUser: ALL

sudoHost: orion

sudoCommand: /sbin/umount /CDROM

sudoCommand: /sbin/mount -o nosuid\

sudoCommand: nodev /dev/cd0a /CDROM

sudoOption: !authenticate

 

 

On client:

/etc/ldap.conf

sudoers_base   ou=SUDOers,dc=comverse-in,dc=com

nss_base_passwd  ou=People,dc=comverse-in,dc=com?one

nss_base_shadow  ou=People,dc=comverse-in,dc=com?one

nss_base_group  ou=Group,dc=comverse-in,dc=com?one

 

/etc/pam.d/login

#%PAM-1.0

auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so

auth       include      system-auth

auth       required     pam_securetty.so

auth   sufficient   pam_ldap.so

auth   required   pam_stack.so service=system-auth

auth   required   pam_nologin.so

 

account    required     pam_nologin.so

account    include      system-auth

account  sufficient   pam_ldap.so

account  required   pam_stack.so service=system-auth

 

password   include      system-auth

password  sufficient   pam_ldap.so

password  required   pam_stack.so service=system-auth

 

# pam_selinux.so close should be the first session rule

session    required     pam_selinux.so close

session    include      system-auth

session    required     pam_loginuid.so

session    optional     pam_console.so

# pam_selinux.so open should only be followed by sessions to be executed in the user context

session    required     pam_selinux.so open

session    optional     pam_keyinit.so force revoke

session  sufficient   pam_ldap.so

session  required  pam_stack.so service=system-auth

session  optional  pam_console.so

session  required  /lib/security/pam_limits.so

/etc/nsswitch.conf

passwd:     ldap files

shadow:     ldap files

group:      ldap files

 

Thanks and Regards,

Naga Chaitanya

 





===============================================================================
Please refer to http://www.aricent.com/legal/email_disclaimer.html
for important disclosures regarding this electronic communication.
===============================================================================