Control: tag -1 unreproducible moreinfo
I tried looking into this, but I can only reproduce this by changing
the line
sudoers: files ldap
in /etc/nsswitch.conf to
sudoers: ldap
This makes /etc/sudoers ineffective, but that's not a bug.
On Wed, Jan 27, 2021 at 02:13:21PM +0100, Eric Brun wrote:
> I done an update from 1.8.27-1+deb10u2 to 1.8.27-1+deb10u3
> so my user nagios sudoers declared in /etc/sudoers stop access
> I try to downgrade to 1.8.27-1+deb10u2 but not change.
> I tried on some others server. When I update this package then
> nagios user can't do what it can do before.
>
> In the /var/log/auth.log :
>
> pam_unix(sudo:auth): conversation failed
> sudo: pam_unix(sudo:auth): auth could not identify password for [nagios]
> sudo: pam_ldap(sudo:auth): failed to get password: Authentication failure
I must say that what you present here is very strange, esp. that a
downgrade does not restore the previous working state, but you don't
give us very much to work with. If you want us to keep looking into
this you have to give more information.
These error messages indicate that sudo tries to resort to using PAMs
to ask for a password which only works when connected to a terminal.
It would be more helpful to show what happens when you call it
interactively.
> -- Configuration Files:
> /etc/sudoers changed:
> Defaults env_reset
> Defaults mail_badpass
> Defaults
> secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
> root ALL=(ALL:ALL) ALL
> nagios ALL=(ALL) NOPASSWD: /usr/sbin/smartctl,/usr/lib/nagios/plugins/
> %sudo ALL=(ALL:ALL) ALL
This is missing the #inludedir entry for /etc/sudoers.d/. Is that
intentional? Why are you using /etc/sudoers with sudo-ldap anyway?
As a fallback mechanism?
Please add the following lines to /etc/sudo-ldap.conf:
sudoers_debug 2
debug 13
Then provide us with the output of these commands (the first one must
run as root):
su -s /bin/sh - nagios -c "sudo /usr/sbin/smartctl" \
|& grep -v '^\(ber\|ldap_get\|ldap_msgfree\)'
grep -H sudoers: /etc/nsswitch.conf
ls -la /etc/sudoers
grep -H -v '^[[:space:]]*#' /etc/sudo.conf /etc/sudo-ldap.conf
grep -H nagios /etc/passwd
Compress files larger than 4 kb, please.