Hi,
I have configured sudoers in my environment. But when I try to execute a command using sudo, the commands fails to get executed saying "sysadmin is not in the sudoers file. This incident will be reported." . I am using sysadmin account as mentioned in the below sudoers ldif file.
login as: sysadmin sysadmin@10.150.14.144's password: Last login: Mon Aug 29 14:58:50 2011 from 10.150.10.158
Could not chdir to home directory /home/sysadmin: No such file or directory -bash-3.2$ sudo ls [sudo] password for sysadmin: sysadmin is not in the sudoers file. This incident will be reported. -bash-3.2$ sudo -V Sudo version 1.7.2p1 -bash-3.2$ sudo -l [sudo] password for sysadmin: Sorry, user sysadmin may not run sudo on devonly144. -bash-3.2
On Server the sudoers file is /etc/openldap/slapd.conf include /usr/share/openldap2.4/schema/sudo.schema index sudoUser eq
/etc/openldap/ldap.conf sudoers_base ou=SUDOers,dc=comverse-in,dc=com
sudoers.ldif # SUDOers, comverse-in.com dn: ou=SUDOers,dc=comverse-in,dc=com objectClass: top objectClass: organizationalUnit ou: SUDOers
dn: cn=defaults,ou=SUDOers,dc=comverse-in,dc=com objectClass: top objectClass: sudoRole cn: defaults description: Default sudoOption's go here sudoOption: syslog=auth
dn: cn=root,ou=SUDOers,dc=comverse-in,dc=com objectClass: top objectClass: sudoRole cn: root sudoUser: root sudoUser: sysadmin sudoHost: ALL sudoRunAsUser: ALL sudoCommand: ALL
dn: cn=%wheel,ou=SUDOers,dc=comverse-in,dc=com objectClass: top objectClass: sudoRole cn: %wheel sudoUser: %wheel sudoHost: ALL sudoRunAsUser: ALL sudoCommand: ALL
dn: cn=operator,ou=SUDOers,dc=comverse-in,dc=com objectClass: top objectClass: sudoRole cn: operator sudoUser: operator sudoHost: ALL sudoCommand: /usr/sbin/dump sudoCommand: /usr/sbin/rdump sudoCommand: /usr/sbin/restore sudoCommand: /usr/sbin/rrestore sudoCommand: /usr/bin/mt sudoCommand: /usr/bin/kill sudoCommand: /usr/sbin/shutdown sudoCommand: /usr/sbin/halt sudoCommand: /usr/sbin/reboot sudoCommand: /usr/sbin/lpc sudoCommand: /usr/bin/lprm sudoCommand: sudoedit /etc/printcap sudoCommand: /usr/oper/bin/
dn: cn=ALL,ou=SUDOers,dc=comverse-in,dc=com objectClass: top objectClass: sudoRole cn: ALL sudoUser: ALL sudoHost: orion sudoCommand: /sbin/umount /CDROM sudoCommand: /sbin/mount -o nosuid\ sudoCommand: nodev /dev/cd0a /CDROM sudoOption: !authenticate
On client: /etc/ldap.conf sudoers_base ou=SUDOers,dc=comverse-in,dc=com nss_base_passwd ou=People,dc=comverse-in,dc=com?one nss_base_shadow ou=People,dc=comverse-in,dc=com?one nss_base_group ou=Group,dc=comverse-in,dc=com?one
/etc/pam.d/login #%PAM-1.0 auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so auth include system-auth auth required pam_securetty.so auth sufficient pam_ldap.so auth required pam_stack.so service=system-auth auth required pam_nologin.so
account required pam_nologin.so account include system-auth account sufficient pam_ldap.so account required pam_stack.so service=system-auth
password include system-auth password sufficient pam_ldap.so password required pam_stack.so service=system-auth
# pam_selinux.so close should be the first session rule session required pam_selinux.so close session include system-auth session required pam_loginuid.so session optional pam_console.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open session optional pam_keyinit.so force revoke session sufficient pam_ldap.so session required pam_stack.so service=system-auth session optional pam_console.so session required /lib/security/pam_limits.so
/etc/nsswitch.conf passwd: ldap files shadow: ldap files group: ldap files
Thanks and Regards, Naga Chaitanya
=============================================================================== Please refer to http://www.aricent.com/legal/email_disclaimer.html for important disclosures regarding this electronic communication. ===============================================================================
On Monday, 29 August 2011 14:07:39 Naga Chaitanya Palle wrote:
Hi,
I have configured sudoers in my environment.
You may want to provide more detail on the environment (OS/distro, which LDAP- base naming service - e.g. nss_ldap, pam-nss-ldapd etc. you are using).
But when I try to execute a command using sudo, the commands fails to get executed saying "sysadmin is not in the sudoers file. This incident will be reported." . I am using sysadmin account as mentioned in the below sudoers ldif file.
login as: sysadmin sysadmin@10.150.14.144's password: Last login: Mon Aug 29 14:58:50 2011 from 10.150.10.158
Could not chdir to home directory /home/sysadmin: No such file or directory
Maybe you need to add pam_mkhomedir to /etc/pam.d/system-auth ?
-bash-3.2$ sudo ls [sudo] password for sysadmin: sysadmin is not in the sudoers file. This incident will be reported. -bash-3.2$ sudo -V Sudo version 1.7.2p1
It would be more instructive to run 'sudo -V' as root.
-bash-3.2$ sudo -l [sudo] password for sysadmin: Sorry, user sysadmin may not run sudo on devonly144. -bash-3.2
Since some of your sudo rules are group-based, you may want to provide the output of 'id' or 'groups' here.
On Server the sudoers file is /etc/openldap/slapd.conf include /usr/share/openldap2.4/schema/sudo.schema index sudoUser eq
/etc/openldap/ldap.conf sudoers_base ou=SUDOers,dc=comverse-in,dc=com
This is probably the wrong ldap.conf, this should probably be one of /etc/ldap.conf, /etc/nss_ldap.conf, /etc/sudo-ldap.conf, depending on the distribution.
sudoers.ldif # SUDOers, comverse-in.com dn: ou=SUDOers,dc=comverse-in,dc=com objectClass: top objectClass: organizationalUnit ou: SUDOers
dn: cn=defaults,ou=SUDOers,dc=comverse-in,dc=com objectClass: top objectClass: sudoRole cn: defaults description: Default sudoOption's go here sudoOption: syslog=auth
dn: cn=root,ou=SUDOers,dc=comverse-in,dc=com objectClass: top objectClass: sudoRole cn: root sudoUser: root sudoUser: sysadmin sudoHost: ALL sudoRunAsUser: ALL sudoCommand: ALL
dn: cn=%wheel,ou=SUDOers,dc=comverse-in,dc=com objectClass: top objectClass: sudoRole cn: %wheel sudoUser: %wheel sudoHost: ALL sudoRunAsUser: ALL sudoCommand: ALL
dn: cn=operator,ou=SUDOers,dc=comverse-in,dc=com objectClass: top objectClass: sudoRole cn: operator sudoUser: operator sudoHost: ALL sudoCommand: /usr/sbin/dump sudoCommand: /usr/sbin/rdump sudoCommand: /usr/sbin/restore sudoCommand: /usr/sbin/rrestore sudoCommand: /usr/bin/mt sudoCommand: /usr/bin/kill sudoCommand: /usr/sbin/shutdown sudoCommand: /usr/sbin/halt sudoCommand: /usr/sbin/reboot sudoCommand: /usr/sbin/lpc sudoCommand: /usr/bin/lprm sudoCommand: sudoedit /etc/printcap sudoCommand: /usr/oper/bin/
dn: cn=ALL,ou=SUDOers,dc=comverse-in,dc=com objectClass: top objectClass: sudoRole cn: ALL sudoUser: ALL sudoHost: orion sudoCommand: /sbin/umount /CDROM sudoCommand: /sbin/mount -o nosuid\ sudoCommand: nodev /dev/cd0a /CDROM sudoOption: !authenticate
On client: /etc/ldap.conf sudoers_base ou=SUDOers,dc=comverse-in,dc=com nss_base_passwd ou=People,dc=comverse-in,dc=com?one nss_base_shadow ou=People,dc=comverse-in,dc=com?one nss_base_group ou=Group,dc=comverse-in,dc=com?one
Please check that this is the correct configuration file, according to 'sudo - V' output as root.
/etc/pam.d/login #%PAM-1.0 auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so auth include system-auth auth required pam_securetty.so auth sufficient pam_ldap.so auth required pam_stack.so service=system-auth auth required pam_nologin.so
account required pam_nologin.so account include system-auth account sufficient pam_ldap.so account required pam_stack.so service=system-auth
password include system-auth password sufficient pam_ldap.so password required pam_stack.so service=system-auth
# pam_selinux.so close should be the first session rule session required pam_selinux.so close session include system-auth session required pam_loginuid.so session optional pam_console.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open session optional pam_keyinit.so force revoke session sufficient pam_ldap.so session required pam_stack.so service=system-auth session optional pam_console.so session required /lib/security/pam_limits.so
In most environments it is preferable to configure LDAP authentication in a single service file that is referenced by the others, in this case /etc/pam.d/system-auth, rather than the individual service files.
/etc/nsswitch.conf passwd: ldap files shadow: ldap files group: ldap files
In 1.7.x you may need to add:
sudoers: files ldap
or similar to /etc/nsswitch.conf (depending on the sudo build-time configuration, which you can see with 'sudo -V' as root).
Regards, Buchan
Thanks Buchan for your inputs.
I am using openldap-2.4.25 on RHEL5.4. sudo -V as root Sudo version 1.7.2p1 Sudoers path: /etc/sudoers nsswitch path: /etc/nsswitch.conf ldap.conf path: /etc/ldap.conf ldap.secret path: /etc/ldap.secret Authentication methods: 'pam'
I could configure the sudoers and it is working now. The change i did was i removed all the changes made to /etc/pam.d/login file and in /etc/nswitch.conf added the entry sudoer : files ldap
Thanks for your suggestions.
Regards, Naga Chaitanya
________________________________________ From: Buchan Milne [bgmilne@staff.telkomsa.net] Sent: Monday, August 29, 2011 8:14 PM To: openldap-technical@openldap.org Cc: Naga Chaitanya Palle Subject: Re: sudoers: not able to execute commands with sudo
On Monday, 29 August 2011 14:07:39 Naga Chaitanya Palle wrote:
Hi,
I have configured sudoers in my environment.
You may want to provide more detail on the environment (OS/distro, which LDAP- base naming service - e.g. nss_ldap, pam-nss-ldapd etc. you are using).
But when I try to execute a command using sudo, the commands fails to get executed saying "sysadmin is not in the sudoers file. This incident will be reported." . I am using sysadmin account as mentioned in the below sudoers ldif file.
login as: sysadmin sysadmin@10.150.14.144's password: Last login: Mon Aug 29 14:58:50 2011 from 10.150.10.158
Could not chdir to home directory /home/sysadmin: No such file or directory
Maybe you need to add pam_mkhomedir to /etc/pam.d/system-auth ?
-bash-3.2$ sudo ls [sudo] password for sysadmin: sysadmin is not in the sudoers file. This incident will be reported. -bash-3.2$ sudo -V Sudo version 1.7.2p1
It would be more instructive to run 'sudo -V' as root.
-bash-3.2$ sudo -l [sudo] password for sysadmin: Sorry, user sysadmin may not run sudo on devonly144. -bash-3.2
Since some of your sudo rules are group-based, you may want to provide the output of 'id' or 'groups' here.
On Server the sudoers file is /etc/openldap/slapd.conf include /usr/share/openldap2.4/schema/sudo.schema index sudoUser eq
/etc/openldap/ldap.conf sudoers_base ou=SUDOers,dc=comverse-in,dc=com
This is probably the wrong ldap.conf, this should probably be one of /etc/ldap.conf, /etc/nss_ldap.conf, /etc/sudo-ldap.conf, depending on the distribution.
sudoers.ldif # SUDOers, comverse-in.com dn: ou=SUDOers,dc=comverse-in,dc=com objectClass: top objectClass: organizationalUnit ou: SUDOers
dn: cn=defaults,ou=SUDOers,dc=comverse-in,dc=com objectClass: top objectClass: sudoRole cn: defaults description: Default sudoOption's go here sudoOption: syslog=auth
dn: cn=root,ou=SUDOers,dc=comverse-in,dc=com objectClass: top objectClass: sudoRole cn: root sudoUser: root sudoUser: sysadmin sudoHost: ALL sudoRunAsUser: ALL sudoCommand: ALL
dn: cn=%wheel,ou=SUDOers,dc=comverse-in,dc=com objectClass: top objectClass: sudoRole cn: %wheel sudoUser: %wheel sudoHost: ALL sudoRunAsUser: ALL sudoCommand: ALL
dn: cn=operator,ou=SUDOers,dc=comverse-in,dc=com objectClass: top objectClass: sudoRole cn: operator sudoUser: operator sudoHost: ALL sudoCommand: /usr/sbin/dump sudoCommand: /usr/sbin/rdump sudoCommand: /usr/sbin/restore sudoCommand: /usr/sbin/rrestore sudoCommand: /usr/bin/mt sudoCommand: /usr/bin/kill sudoCommand: /usr/sbin/shutdown sudoCommand: /usr/sbin/halt sudoCommand: /usr/sbin/reboot sudoCommand: /usr/sbin/lpc sudoCommand: /usr/bin/lprm sudoCommand: sudoedit /etc/printcap sudoCommand: /usr/oper/bin/
dn: cn=ALL,ou=SUDOers,dc=comverse-in,dc=com objectClass: top objectClass: sudoRole cn: ALL sudoUser: ALL sudoHost: orion sudoCommand: /sbin/umount /CDROM sudoCommand: /sbin/mount -o nosuid\ sudoCommand: nodev /dev/cd0a /CDROM sudoOption: !authenticate
On client: /etc/ldap.conf sudoers_base ou=SUDOers,dc=comverse-in,dc=com nss_base_passwd ou=People,dc=comverse-in,dc=com?one nss_base_shadow ou=People,dc=comverse-in,dc=com?one nss_base_group ou=Group,dc=comverse-in,dc=com?one
Please check that this is the correct configuration file, according to 'sudo - V' output as root.
/etc/pam.d/login #%PAM-1.0 auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so auth include system-auth auth required pam_securetty.so auth sufficient pam_ldap.so auth required pam_stack.so service=system-auth auth required pam_nologin.so
account required pam_nologin.so account include system-auth account sufficient pam_ldap.so account required pam_stack.so service=system-auth
password include system-auth password sufficient pam_ldap.so password required pam_stack.so service=system-auth
# pam_selinux.so close should be the first session rule session required pam_selinux.so close session include system-auth session required pam_loginuid.so session optional pam_console.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open session optional pam_keyinit.so force revoke session sufficient pam_ldap.so session required pam_stack.so service=system-auth session optional pam_console.so session required /lib/security/pam_limits.so
In most environments it is preferable to configure LDAP authentication in a single service file that is referenced by the others, in this case /etc/pam.d/system-auth, rather than the individual service files.
/etc/nsswitch.conf passwd: ldap files shadow: ldap files group: ldap files
In 1.7.x you may need to add:
sudoers: files ldap
or similar to /etc/nsswitch.conf (depending on the sudo build-time configuration, which you can see with 'sudo -V' as root).
Regards, Buchan
=============================================================================== Please refer to http://www.aricent.com/legal/email_disclaimer.html for important disclosures regarding this electronic communication. ===============================================================================
Hi
On 08/29/2011 04:07 PM, Naga Chaitanya Palle wrote:
Could not chdir to home directory /home/sysadmin: No such file or directory
pam_mkhomedir? :)
On *client*:
*/etc/ldap.conf*
sudoers_base ou=SUDOers,dc=comverse-in,dc=com
nss_base_passwd ou=People,dc=comverse-in,dc=com?one
nss_base_shadow ou=People,dc=comverse-in,dc=com?one
nss_base_group ou=Group,dc=comverse-in,dc=com?one
I suppose all this tests on client side.
At first make sure you can get data from ldap server (use ldapsearch and get it manually). If this ok,
try this $ echo "sudoers_debug 2" >> /etc/ldap.conf $ sudo -l
and this $ ln -s /etc/ldap.conf /etc/nss_ldap.conf $ strace sudo -l
also, you can debug ldap connectivity $ echo "debug 257" >> /etc/ldap.conf $ sudo -l
WBR
openldap-technical@openldap.org
-
Buchan Milne -
Dmitriy Kirhlarov -
Naga Chaitanya Palle