Re: [Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su and sudo
On Wed, Sep 22, 2010 at 22:26:31 -, greenmoss wrote: My bug 509734 was marked as a duplicate of this one. This was a special case using the atd job scheduler. At jobs launched by ldap users worked, but at jobs launched by root did *not* work. atd was doing a group lookup, and nss was dropping privileges, thus breaking root-launched at Yeah, I found this behavior on in my test machine (where I'm running Lucid), too. Based on the discussion earlier in this bug (423252), I did some testing of the behavior of atd with various combinations of libpam/nss-ldap, nscd, and libpam/nss-ldapd. As greenmoss found, when I was running with libpam/nss-ldap and no nscd (and didn't have any of the users in question listed in the ignoreusers line), my at commands worked for LDAP users but not for ones defined in /etc/passwd. (When an LDAP user attempted to run an at command, the following syslog message would appear: atd[PID]: Cannot delete saved userids: Operation not permitted However, I found that when nscd was running... the situation was reversed: at commands did work for LDAP-defined users, but not for /etc/passwd-defined ones (and attempts to use at as one of those users would cause the same error message as above to show up in the syslog). When I had libpam/nss-ldapd installed (with or without nscd), the at command worked fine for both types of users. jobs. To work around this, I added the following line to my /etc/ldap.conf: nss_initgroups_ignoreusers users where users is the list of local non-ldap users, particularly root! In the libpam/nss-ldap, no nscd case, this also worked in my tests; listing the /etc/passwd-defined user in the ignoreusers line did allow at to work for that user (and it continued to work for the LDAP-defined user as well). Interestingly, this change did NOT help in the libpam/nss-ldap, with nscd case -- even with LDAP username listed in the ignoreusers line, when I tried to run at as the LDAP-defined user, the command still failed and atd still generated the same syslog error message (libpam/nss-ldapd does not reference the /etc/ldapd.conf file, so the ignoreusers line doesn't affect that test case.) [For what it's worth, I tested cron using those same combinations of NSS/PAM resolution libraries but didn't find any situation where it failed...] Nathan -- NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd https://bugs.launchpad.net/bugs/423252 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
Re: [Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su and sudo
On Fri, Sep 24, 2010 at 16:46:25 -, Nathan Stratton Treadway wrote: As greenmoss found, when I was running with libpam/nss-ldap and no nscd (and didn't have any of the users in question listed in the ignoreusers line), my at commands worked for LDAP users but not for ones defined in /etc/passwd. (When an LDAP user attempted to run an at command, the following syslog message would appear: atd[PID]: Cannot delete saved userids: Operation not permitted However, I found that when nscd was running... the situation was reversed: at commands did work for LDAP-defined users, but not for /etc/passwd-defined ones (and attempts to use at as one of those users would cause the same error message as above to show up in the syslog). I'm sorry, I seem to have managed to jumble the succeeded/failed statuses given in those two paragraphs... Hopefully the following table is more clear: without ncsd: passwd user: failed (and Cannot delete syslog message appeared) LDAP user: succeeded with ncsd running (and after restarting the atd service): passwd user: succeeded LDAP user: failed (with same Cannot delete syslog message) Nathan -- NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd https://bugs.launchpad.net/bugs/423252 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
Re: [Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su and sudo
On Wed, Sep 22, 2010 at 22:26:31 -, greenmoss wrote: My bug 509734 was marked as a duplicate of this one. This was a special case using the atd job scheduler. At jobs launched by ldap users worked, but at jobs launched by root did *not* work. atd was doing a group lookup, and nss was dropping privileges, thus breaking root-launched at Yeah, I found this behavior on in my test machine (where I'm running Lucid), too. Based on the discussion earlier in this bug (423252), I did some testing of the behavior of atd with various combinations of libpam/nss-ldap, nscd, and libpam/nss-ldapd. As greenmoss found, when I was running with libpam/nss-ldap and no nscd (and didn't have any of the users in question listed in the ignoreusers line), my at commands worked for LDAP users but not for ones defined in /etc/passwd. (When an LDAP user attempted to run an at command, the following syslog message would appear: atd[PID]: Cannot delete saved userids: Operation not permitted However, I found that when nscd was running... the situation was reversed: at commands did work for LDAP-defined users, but not for /etc/passwd-defined ones (and attempts to use at as one of those users would cause the same error message as above to show up in the syslog). When I had libpam/nss-ldapd installed (with or without nscd), the at command worked fine for both types of users. jobs. To work around this, I added the following line to my /etc/ldap.conf: nss_initgroups_ignoreusers users where users is the list of local non-ldap users, particularly root! In the libpam/nss-ldap, no nscd case, this also worked in my tests; listing the /etc/passwd-defined user in the ignoreusers line did allow at to work for that user (and it continued to work for the LDAP-defined user as well). Interestingly, this change did NOT help in the libpam/nss-ldap, with nscd case -- even with LDAP username listed in the ignoreusers line, when I tried to run at as the LDAP-defined user, the command still failed and atd still generated the same syslog error message (libpam/nss-ldapd does not reference the /etc/ldapd.conf file, so the ignoreusers line doesn't affect that test case.) [For what it's worth, I tested cron using those same combinations of NSS/PAM resolution libraries but didn't find any situation where it failed...] Nathan -- NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd https://bugs.launchpad.net/bugs/423252 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su and sudo
On Fri, Sep 24, 2010 at 16:46:25 -, Nathan Stratton Treadway wrote: As greenmoss found, when I was running with libpam/nss-ldap and no nscd (and didn't have any of the users in question listed in the ignoreusers line), my at commands worked for LDAP users but not for ones defined in /etc/passwd. (When an LDAP user attempted to run an at command, the following syslog message would appear: atd[PID]: Cannot delete saved userids: Operation not permitted However, I found that when nscd was running... the situation was reversed: at commands did work for LDAP-defined users, but not for /etc/passwd-defined ones (and attempts to use at as one of those users would cause the same error message as above to show up in the syslog). I'm sorry, I seem to have managed to jumble the succeeded/failed statuses given in those two paragraphs... Hopefully the following table is more clear: without ncsd: passwd user: failed (and Cannot delete syslog message appeared) LDAP user: succeeded with ncsd running (and after restarting the atd service): passwd user: succeeded LDAP user: failed (with same Cannot delete syslog message) Nathan -- NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd https://bugs.launchpad.net/bugs/423252 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su and sudo
My bug 509734 was marked as a duplicate of this one. This was a special case using the atd job scheduler. At jobs launched by ldap users worked, but at jobs launched by root did *not* work. atd was doing a group lookup, and nss was dropping privileges, thus breaking root-launched at jobs. To work around this, I added the following line to my /etc/ldap.conf: nss_initgroups_ignoreusers users where users is the list of local non-ldap users, particularly root! There is a script that is part of nss-ldap that does this for you: /usr/sbin/nssldap-update-ignoreusers Atd is finally working for me now. -- NSS using LDAP+SSL breaks setuid applications like su and sudo https://bugs.launchpad.net/bugs/423252 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su and sudo
My bug 509734 was marked as a duplicate of this one. This was a special case using the atd job scheduler. At jobs launched by ldap users worked, but at jobs launched by root did *not* work. atd was doing a group lookup, and nss was dropping privileges, thus breaking root-launched at jobs. To work around this, I added the following line to my /etc/ldap.conf: nss_initgroups_ignoreusers users where users is the list of local non-ldap users, particularly root! There is a script that is part of nss-ldap that does this for you: /usr/sbin/nssldap-update-ignoreusers Atd is finally working for me now. -- NSS using LDAP+SSL breaks setuid applications like su and sudo https://bugs.launchpad.net/bugs/423252 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su and sudo
We had the same problem over here - upgrading from Debian Lenny to Testing... The problem is caused by a change in the configuration files, which have apparently changed in the different versions of openldap. Reinstall ldap to get the original configuration files. /etc/ldap.conf seems to be the new location for the ldap configuration. The steps in detail: apt-get install --reinstall *all ldap-related packages * When asked if you want to update /etc/pam.d/common-*, say YES copy /etc/libnss-ldap.conf or /etc/pam_ldap.conf to /etc/ldap.conf run getent passwd All bests, skulda -- NSS using LDAP+SSL breaks setuid applications like su and sudo https://bugs.launchpad.net/bugs/423252 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su and sudo
We had the same problem over here - upgrading from Debian Lenny to Testing... The problem is caused by a change in the configuration files, which have apparently changed in the different versions of openldap. Reinstall ldap to get the original configuration files. /etc/ldap.conf seems to be the new location for the ldap configuration. The steps in detail: apt-get install --reinstall *all ldap-related packages * When asked if you want to update /etc/pam.d/common-*, say YES copy /etc/libnss-ldap.conf or /etc/pam_ldap.conf to /etc/ldap.conf run getent passwd All bests, skulda -- NSS using LDAP+SSL breaks setuid applications like su and sudo https://bugs.launchpad.net/bugs/423252 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su and sudo
Regarding the pam_check_host_attr and pam_check_service_attr options of pam_ldap, nslcd has a pam_authz_search option that can replace functionality of those options (and much more). This option has been in nss-pam-ldapd since version 0.7.4. Any other feature requests (and bug reports) are very much welcome on the nss-pam-ldapd-users mailing list. Regarding the previous comment, could you file a bug report on the nss- pam-ldapd package if you think the problem is there? From the log it shows that only three lookups for the user user333 came in. No authentication requests were done for that user (at least not through nslcd). -- NSS using LDAP+SSL breaks setuid applications like su and sudo https://bugs.launchpad.net/bugs/423252 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su and sudo
Regarding the pam_check_host_attr and pam_check_service_attr options of pam_ldap, nslcd has a pam_authz_search option that can replace functionality of those options (and much more). This option has been in nss-pam-ldapd since version 0.7.4. Any other feature requests (and bug reports) are very much welcome on the nss-pam-ldapd-users mailing list. Regarding the previous comment, could you file a bug report on the nss- pam-ldapd package if you think the problem is there? From the log it shows that only three lookups for the user user333 came in. No authentication requests were done for that user (at least not through nslcd). -- NSS using LDAP+SSL breaks setuid applications like su and sudo https://bugs.launchpad.net/bugs/423252 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su and sudo
nslcd is a fail on lucid for me. Trying to start from upstart fails. Running it by hand in debug mode works but when trying to su from one LDAP user to another it again fails: # service nslcd start * Starting LDAP connection daemon nslcd nslcd: unable to daemonize: No such device Seems to work in debug mode # /usr/sbin/nslcd -d nslcd: DEBUG: add_uri(ldaps://10.xx.xx.xx) nslcd: DEBUG: add_uri(ldaps://10.xx.xx.xxx) nslcd: DEBUG: ldap_set_option(LDAP_OPT_X_TLS_REQUIRE_CERT,0) nslcd: version 0.7.2 starting nslcd: DEBUG: unlink() of /var/run/nslcd/socket failed (ignored): No such file or directory nslcd: DEBUG: setgroups(0,NULL) done nslcd: DEBUG: setgid(126) done nslcd: DEBUG: setuid(117) done nslcd: accepting connections When I try to su to another user however, more fail: [2]# sudo -u nslcd nslcd -d nslcd: DEBUG: add_uri(ldaps://10.12.51.165) nslcd: DEBUG: add_uri(ldaps://10.14.13.250) nslcd: DEBUG: ldap_set_option(LDAP_OPT_X_TLS_REQUIRE_CERT,0) nslcd: version 0.7.2 starting nslcd: DEBUG: unlink() of /var/run/nslcd/socket failed (ignored): No such file or directory nslcd: cannot setgroups(0,NULL) (ignored): Operation not permitted nslcd: DEBUG: setgid(126) done nslcd: DEBUG: setuid(117) done nslcd: accepting connections nslcd: [8b4567] DEBUG: connection from pid=13359 uid=0 gid=1000 nslcd: [8b4567] DEBUG: nslcd_passwd_byname(user333) nslcd: [8b4567] DEBUG: myldap_search(base=ou=HDA,ou=DC,o=FMW, filter=((objectClass=posixAccount)(uid=user333))) nslcd: [8b4567] DEBUG: ldap_initialize(ldaps://10.12.51.165) nslcd: [8b4567] DEBUG: ldap_set_rebind_proc() nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3) nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_DEREF,0) nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0) nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0) nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0) nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON) nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON) nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_X_TLS,LDAP_OPT_X_TLS_HARD) nslcd: [8b4567] DEBUG: ldap_simple_bind_s(NULL,NULL) (uri=ldaps://10.12.51.165) nslcd: [8b4567] connected to LDAP server ldaps://10.12.51.165 nslcd: [8b4567] DEBUG: ldap_result(): end of results nslcd: [7b23c6] DEBUG: connection from pid=13359 uid=0 gid=1000 nslcd: [7b23c6] DEBUG: nslcd_passwd_byname(user333) nslcd: [7b23c6] DEBUG: myldap_search(base=ou=HDA,ou=DC,o=FMW, filter=((objectClass=posixAccount)(uid=user333))) nslcd: [7b23c6] DEBUG: ldap_initialize(ldaps://10.12.51.165) nslcd: [7b23c6] DEBUG: ldap_set_rebind_proc() nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3) nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_DEREF,0) nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0) nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0) nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0) nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON) nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON) nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_X_TLS,LDAP_OPT_X_TLS_HARD) nslcd: [7b23c6] DEBUG: ldap_simple_bind_s(NULL,NULL) (uri=ldaps://10.12.51.165) nslcd: [7b23c6] connected to LDAP server ldaps://10.12.51.165 nslcd: [7b23c6] DEBUG: ldap_result(): end of results nslcd: [3c9869] DEBUG: connection from pid=13359 uid=1000 gid=1000 nslcd: [3c9869] DEBUG: nslcd_passwd_byname(user333) nslcd: [3c9869] DEBUG: myldap_search(base=ou=HDA,ou=DC,o=FMW, filter=((objectClass=posixAccount)(uid=user333))) nslcd: [3c9869] DEBUG: ldap_initialize(ldaps://10.12.51.165) nslcd: [3c9869] DEBUG: ldap_set_rebind_proc() nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3) nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_DEREF,0) nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0) nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0) nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0) nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON) nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON) nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_X_TLS,LDAP_OPT_X_TLS_HARD) nslcd: [3c9869] DEBUG: ldap_simple_bind_s(NULL,NULL) (uri=ldaps://10.12.51.165) nslcd: [3c9869] connected to LDAP server ldaps://10.12.51.165 nslcd: [3c9869] DEBUG: ldap_result(): end of results output of below command ^^ $ su - user333 Password: setgid: Operation not permitted -- NSS using LDAP+SSL breaks setuid applications like su and sudo https://bugs.launchpad.net/bugs/423252 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at:
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su and sudo
nslcd is a fail on lucid for me. Trying to start from upstart fails. Running it by hand in debug mode works but when trying to su from one LDAP user to another it again fails: # service nslcd start * Starting LDAP connection daemon nslcd nslcd: unable to daemonize: No such device Seems to work in debug mode # /usr/sbin/nslcd -d nslcd: DEBUG: add_uri(ldaps://10.xx.xx.xx) nslcd: DEBUG: add_uri(ldaps://10.xx.xx.xxx) nslcd: DEBUG: ldap_set_option(LDAP_OPT_X_TLS_REQUIRE_CERT,0) nslcd: version 0.7.2 starting nslcd: DEBUG: unlink() of /var/run/nslcd/socket failed (ignored): No such file or directory nslcd: DEBUG: setgroups(0,NULL) done nslcd: DEBUG: setgid(126) done nslcd: DEBUG: setuid(117) done nslcd: accepting connections When I try to su to another user however, more fail: [2]# sudo -u nslcd nslcd -d nslcd: DEBUG: add_uri(ldaps://10.12.51.165) nslcd: DEBUG: add_uri(ldaps://10.14.13.250) nslcd: DEBUG: ldap_set_option(LDAP_OPT_X_TLS_REQUIRE_CERT,0) nslcd: version 0.7.2 starting nslcd: DEBUG: unlink() of /var/run/nslcd/socket failed (ignored): No such file or directory nslcd: cannot setgroups(0,NULL) (ignored): Operation not permitted nslcd: DEBUG: setgid(126) done nslcd: DEBUG: setuid(117) done nslcd: accepting connections nslcd: [8b4567] DEBUG: connection from pid=13359 uid=0 gid=1000 nslcd: [8b4567] DEBUG: nslcd_passwd_byname(user333) nslcd: [8b4567] DEBUG: myldap_search(base=ou=HDA,ou=DC,o=FMW, filter=((objectClass=posixAccount)(uid=user333))) nslcd: [8b4567] DEBUG: ldap_initialize(ldaps://10.12.51.165) nslcd: [8b4567] DEBUG: ldap_set_rebind_proc() nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3) nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_DEREF,0) nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0) nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0) nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0) nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON) nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON) nslcd: [8b4567] DEBUG: ldap_set_option(LDAP_OPT_X_TLS,LDAP_OPT_X_TLS_HARD) nslcd: [8b4567] DEBUG: ldap_simple_bind_s(NULL,NULL) (uri=ldaps://10.12.51.165) nslcd: [8b4567] connected to LDAP server ldaps://10.12.51.165 nslcd: [8b4567] DEBUG: ldap_result(): end of results nslcd: [7b23c6] DEBUG: connection from pid=13359 uid=0 gid=1000 nslcd: [7b23c6] DEBUG: nslcd_passwd_byname(user333) nslcd: [7b23c6] DEBUG: myldap_search(base=ou=HDA,ou=DC,o=FMW, filter=((objectClass=posixAccount)(uid=user333))) nslcd: [7b23c6] DEBUG: ldap_initialize(ldaps://10.12.51.165) nslcd: [7b23c6] DEBUG: ldap_set_rebind_proc() nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3) nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_DEREF,0) nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0) nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0) nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0) nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON) nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON) nslcd: [7b23c6] DEBUG: ldap_set_option(LDAP_OPT_X_TLS,LDAP_OPT_X_TLS_HARD) nslcd: [7b23c6] DEBUG: ldap_simple_bind_s(NULL,NULL) (uri=ldaps://10.12.51.165) nslcd: [7b23c6] connected to LDAP server ldaps://10.12.51.165 nslcd: [7b23c6] DEBUG: ldap_result(): end of results nslcd: [3c9869] DEBUG: connection from pid=13359 uid=1000 gid=1000 nslcd: [3c9869] DEBUG: nslcd_passwd_byname(user333) nslcd: [3c9869] DEBUG: myldap_search(base=ou=HDA,ou=DC,o=FMW, filter=((objectClass=posixAccount)(uid=user333))) nslcd: [3c9869] DEBUG: ldap_initialize(ldaps://10.12.51.165) nslcd: [3c9869] DEBUG: ldap_set_rebind_proc() nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3) nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_DEREF,0) nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0) nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0) nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0) nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON) nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON) nslcd: [3c9869] DEBUG: ldap_set_option(LDAP_OPT_X_TLS,LDAP_OPT_X_TLS_HARD) nslcd: [3c9869] DEBUG: ldap_simple_bind_s(NULL,NULL) (uri=ldaps://10.12.51.165) nslcd: [3c9869] connected to LDAP server ldaps://10.12.51.165 nslcd: [3c9869] DEBUG: ldap_result(): end of results output of below command ^^ $ su - user333 Password: setgid: Operation not permitted -- NSS using LDAP+SSL breaks setuid applications like su and sudo https://bugs.launchpad.net/bugs/423252 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su and sudo
same here (like comment #92). I can su to any local user not just root. Trying to su to any LDAP user results in 'su[***]: initgroups failed for user `atest': Operation not permitted' -- NSS using LDAP+SSL breaks setuid applications like su and sudo https://bugs.launchpad.net/bugs/423252 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su and sudo
same here (like comment #92). I can su to any local user not just root. Trying to su to any LDAP user results in 'su[***]: initgroups failed for user `atest': Operation not permitted' -- NSS using LDAP+SSL breaks setuid applications like su and sudo https://bugs.launchpad.net/bugs/423252 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su and sudo
Googlebait: This also breaks apache2 suexec, as initgroups() fails, resulting in the error failed to setgid. -- NSS using LDAP+SSL breaks setuid applications like su and sudo https://bugs.launchpad.net/bugs/423252 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su and sudo
Googlebait: This also breaks apache2 suexec, as initgroups() fails, resulting in the error failed to setgid. -- NSS using LDAP+SSL breaks setuid applications like su and sudo https://bugs.launchpad.net/bugs/423252 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su and sudo
I have the same symptoms on Lucid: With nscd I can at least su to root but not to any other LDAP user -- NSS using LDAP+SSL breaks setuid applications like su and sudo https://bugs.launchpad.net/bugs/423252 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su and sudo
I have the same symptoms on Lucid: With nscd I can at least su to root but not to any other LDAP user -- NSS using LDAP+SSL breaks setuid applications like su and sudo https://bugs.launchpad.net/bugs/423252 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su and sudo
I was a bit disheartened to see this is an actual bug - be it because of X package or not, of the two workstations at my desk, the fedora13 box has no problems (and uses nscd) and the ubuntu one does. Reading here, I saw the libnss-ldapd suggestion, tried it, worked fine. Regarding Hark's comment about pam_check_host_attr and pam_check_service_attr (comment #87), I would bet you could solve that another way. Solution I already had in place for another reason entirely was the follows, and works just fine for host-based restrictions: 1) create a group in ldap for the host hostgrp - and put the users in that group you want. 2) use pam_succeed_if.so to restrict to the group you want. In common-auth, before pam_ldap.so, put: authrequisite pam_succeed_if.so user ingroup hostgrp quiet_success This will cause pam to only allow someone in group hostgrp to log in. Remove them from hostgrp, they can't log in. That's what you're wanting that nslcd/libnss-ldapd isn't allowing, right? Well, PAM has been around longer than nscd/nslcd anyway ;) BTW, in case it isn't obvious, pam_succeed_if statements can be stacked - the chain goes one to the next, same as when you're using one mod then another. -- NSS using LDAP+SSL breaks setuid applications like su and sudo https://bugs.launchpad.net/bugs/423252 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su and sudo
My experience with libnss-ldap is that nscd allows sudo but not su. Also the GUI authentication doesn't work. I just got around to testing libnss-ldapd and I can verify that both sudo and su work there. Ubuntu's gui authentication process does not work though. When you try to perform a privileged action like adding a printer it opens the Authentication dialogue and asks for a password. When you enter an ldap password it returns bad password and the entire printer config system freezes. The following errors are from auth.log: May 7 11:53:11 engine cupsd: pam_unix(cups:auth): check pass; user unknown May 7 11:53:11 engine cupsd: pam_unix(cups:auth): authentication failure; logname= uid=0 euid=0 tty=cups ruser= rhost=localhost May 7 11:53:11 engine cupsd: pam_unix(cups:account): could not identify user (from getpwnam(lquigley)) -- NSS using LDAP+SSL breaks setuid applications like su and sudo https://bugs.launchpad.net/bugs/423252 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su and sudo
I'm sorry, my previous comment didn't hold up to scrutiny. A reboot seems to have gotten rid of those errors The GUI authentication dialogue is asking for the root password rather than the password of the logged in user. Does anyone know if this is the intended behavior? -- NSS using LDAP+SSL breaks setuid applications like su and sudo https://bugs.launchpad.net/bugs/423252 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su and sudo
My experience with libnss-ldap is that nscd allows sudo but not su. Also the GUI authentication doesn't work. I just got around to testing libnss-ldapd and I can verify that both sudo and su work there. Ubuntu's gui authentication process does not work though. When you try to perform a privileged action like adding a printer it opens the Authentication dialogue and asks for a password. When you enter an ldap password it returns bad password and the entire printer config system freezes. The following errors are from auth.log: May 7 11:53:11 engine cupsd: pam_unix(cups:auth): check pass; user unknown May 7 11:53:11 engine cupsd: pam_unix(cups:auth): authentication failure; logname= uid=0 euid=0 tty=cups ruser= rhost=localhost May 7 11:53:11 engine cupsd: pam_unix(cups:account): could not identify user (from getpwnam(lquigley)) -- NSS using LDAP+SSL breaks setuid applications like su and sudo https://bugs.launchpad.net/bugs/423252 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su and sudo
I'm sorry, my previous comment didn't hold up to scrutiny. A reboot seems to have gotten rid of those errors The GUI authentication dialogue is asking for the root password rather than the password of the logged in user. Does anyone know if this is the intended behavior? -- NSS using LDAP+SSL breaks setuid applications like su and sudo https://bugs.launchpad.net/bugs/423252 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su and sudo
Also confirming that installing nscd was successful as a workaround for me. Also worth noting that my symptoms of this issue matched those explained above. This is on a fresh 10.04 install. -- NSS using LDAP+SSL breaks setuid applications like su and sudo https://bugs.launchpad.net/bugs/423252 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su and sudo
Also confirming that installing nscd was successful as a workaround for me. Also worth noting that my symptoms of this issue matched those explained above. This is on a fresh 10.04 install. -- NSS using LDAP+SSL breaks setuid applications like su and sudo https://bugs.launchpad.net/bugs/423252 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su and sudo
For me both workarounds in the release notes aren't very usable, unfortunately. I can't use libnss-ldapd as the pam_check_host_attr and pam_check_service_attr options in libnss-ldap are essential for me, but as Ian Gordon wrote libnss-ldapd doesn't support these. The other solution (nscd) is usable, but only as long as nscd doesn't crash. The past told us nscd isn't the most stable daemon in the world unfortunately. -- NSS using LDAP+SSL breaks setuid applications like su and sudo https://bugs.launchpad.net/bugs/423252 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su and sudo
For me both workarounds in the release notes aren't very usable, unfortunately. I can't use libnss-ldapd as the pam_check_host_attr and pam_check_service_attr options in libnss-ldap are essential for me, but as Ian Gordon wrote libnss-ldapd doesn't support these. The other solution (nscd) is usable, but only as long as nscd doesn't crash. The past told us nscd isn't the most stable daemon in the world unfortunately. -- NSS using LDAP+SSL breaks setuid applications like su and sudo https://bugs.launchpad.net/bugs/423252 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su and sudo
** Tags added: patch -- NSS using LDAP+SSL breaks setuid applications like su and sudo https://bugs.launchpad.net/bugs/423252 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su and sudo
** Tags added: patch -- NSS using LDAP+SSL breaks setuid applications like su and sudo https://bugs.launchpad.net/bugs/423252 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su and sudo
This bug also affects new installations. Installing nscd does not fully fix the problem as it leaves su unable to su from an ldap user to another ldap user and a local user unable to su to an ldap user. Error is setgid: Operation not permitted libpam-ldapd/libnss-ldapd does not support all the features that libpam- ldap/libnss-ldap does. Primarily all the pam_* configuration options are not supported leaving you unable to support limiting authentication to subsets of user on subsets of computers. -- NSS using LDAP+SSL breaks setuid applications like su and sudo https://bugs.launchpad.net/bugs/423252 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su and sudo
That's unfortunate, I didn't realize libpam-ldapd was so incomplete. You can still use nssov for full pam support. Your best option for an immediate fix is still the libgcrypt patch I posted. Without that basically all Karmic and Lucid nss-ldap+SSL installations are dead in the water. As a longer term step, the design of libgcrypt and gnutls needs revisiting. Midterm, migrate everyone to nssov. -- NSS using LDAP+SSL breaks setuid applications like su and sudo https://bugs.launchpad.net/bugs/423252 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su and sudo
Could you provide a link to explanation of what nssov is and maybe how to use it? -- NSS using LDAP+SSL breaks setuid applications like su and sudo https://bugs.launchpad.net/bugs/423252 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su and sudo
http://www.openldap.org/devel/cvsweb.cgi/~checkout~/contrib/slapd- modules/nssov/README?rev=1.11 It's an overlay for OpenLDAP slapd which implements all of the nss and pam calls, replacing Arthur deJong's nslcd. -- NSS using LDAP+SSL breaks setuid applications like su and sudo https://bugs.launchpad.net/bugs/423252 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su and sudo
This bug also affects new installations. Installing nscd does not fully fix the problem as it leaves su unable to su from an ldap user to another ldap user and a local user unable to su to an ldap user. Error is setgid: Operation not permitted libpam-ldapd/libnss-ldapd does not support all the features that libpam- ldap/libnss-ldap does. Primarily all the pam_* configuration options are not supported leaving you unable to support limiting authentication to subsets of user on subsets of computers. -- NSS using LDAP+SSL breaks setuid applications like su and sudo https://bugs.launchpad.net/bugs/423252 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su and sudo
That's unfortunate, I didn't realize libpam-ldapd was so incomplete. You can still use nssov for full pam support. Your best option for an immediate fix is still the libgcrypt patch I posted. Without that basically all Karmic and Lucid nss-ldap+SSL installations are dead in the water. As a longer term step, the design of libgcrypt and gnutls needs revisiting. Midterm, migrate everyone to nssov. -- NSS using LDAP+SSL breaks setuid applications like su and sudo https://bugs.launchpad.net/bugs/423252 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su and sudo
Could you provide a link to explanation of what nssov is and maybe how to use it? -- NSS using LDAP+SSL breaks setuid applications like su and sudo https://bugs.launchpad.net/bugs/423252 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su and sudo
http://www.openldap.org/devel/cvsweb.cgi/~checkout~/contrib/slapd- modules/nssov/README?rev=1.11 It's an overlay for OpenLDAP slapd which implements all of the nss and pam calls, replacing Arthur deJong's nslcd. -- NSS using LDAP+SSL breaks setuid applications like su and sudo https://bugs.launchpad.net/bugs/423252 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su and sudo
Updated text with: == NSS resolution breaks with LDAP over SSL in Ubuntu Server == Upgrading systems configured to use LDAP via SSL as the first service in the NSS stack (in /etc/nsswitch.conf) leads to broken NSS resolution afterwards such that `setuid` applications like `sudo` would stop working. To work around this, switch to the libnss-ldapd package instead of libnss-ldap before the upgrade, or use nscd. (Bug:423252) ** Changed in: ubuntu-release-notes Status: Confirmed = Fix Released -- NSS using LDAP+SSL breaks setuid applications like su and sudo https://bugs.launchpad.net/bugs/423252 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su and sudo
This bug was introduced in karmic, so upgrade from karmic to lucid shouldn't be affected. But for instance all upgrades from last LTS release (not only Ubuntu Server) will get affected. ** Changed in: ubuntu-release-notes Status: Fix Released = Confirmed -- NSS using LDAP+SSL breaks setuid applications like su and sudo https://bugs.launchpad.net/bugs/423252 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su and sudo
I don't see that this requires any changes to the release notes text, though. ** Changed in: ubuntu-release-notes Status: Confirmed = Fix Released -- NSS using LDAP+SSL breaks setuid applications like su and sudo https://bugs.launchpad.net/bugs/423252 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su and sudo
** Bug watch added: Debian Bug tracker #566351 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=566351 ** Also affects: libgcrypt11 (Debian) via http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=566351 Importance: Unknown Status: Unknown -- NSS using LDAP+SSL breaks setuid applications like su and sudo https://bugs.launchpad.net/bugs/423252 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su and sudo
** Changed in: libgcrypt11 (Debian) Status: Unknown = Confirmed -- NSS using LDAP+SSL breaks setuid applications like su and sudo https://bugs.launchpad.net/bugs/423252 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su and sudo
Updated text with: == NSS resolution breaks with LDAP over SSL in Ubuntu Server == Upgrading systems configured to use LDAP via SSL as the first service in the NSS stack (in /etc/nsswitch.conf) leads to broken NSS resolution afterwards such that `setuid` applications like `sudo` would stop working. To work around this, switch to the libnss-ldapd package instead of libnss-ldap before the upgrade, or use nscd. (Bug:423252) ** Changed in: ubuntu-release-notes Status: Confirmed = Fix Released -- NSS using LDAP+SSL breaks setuid applications like su and sudo https://bugs.launchpad.net/bugs/423252 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su and sudo
This bug was introduced in karmic, so upgrade from karmic to lucid shouldn't be affected. But for instance all upgrades from last LTS release (not only Ubuntu Server) will get affected. ** Changed in: ubuntu-release-notes Status: Fix Released = Confirmed -- NSS using LDAP+SSL breaks setuid applications like su and sudo https://bugs.launchpad.net/bugs/423252 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su and sudo
I don't see that this requires any changes to the release notes text, though. ** Changed in: ubuntu-release-notes Status: Confirmed = Fix Released -- NSS using LDAP+SSL breaks setuid applications like su and sudo https://bugs.launchpad.net/bugs/423252 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su and sudo
** Bug watch added: Debian Bug tracker #566351 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=566351 ** Also affects: libgcrypt11 (Debian) via http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=566351 Importance: Unknown Status: Unknown -- NSS using LDAP+SSL breaks setuid applications like su and sudo https://bugs.launchpad.net/bugs/423252 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su and sudo
** Changed in: libgcrypt11 (Debian) Status: Unknown = Confirmed -- NSS using LDAP+SSL breaks setuid applications like su and sudo https://bugs.launchpad.net/bugs/423252 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su and sudo
Added this text to the release notes: == NSS resolution breaks with LDAP over SSL in Ubuntu Server == Upgrading systems configured to use LDAP via SSL as the first service in the NSS stack (in /etc/nsswitch.conf) leads to broken NSS resolution afterwards such that applications like sudo would stop working. A workaround is to configure the ldap service to be used after the compat service in /etc/nsswitch.conf before the upgrade is started. (Bug:423252) Please reopen if the text needs fixing to mention nscd instead. ** Changed in: ubuntu-release-notes Status: Confirmed = Fix Released -- NSS using LDAP+SSL breaks setuid applications like su and sudo https://bugs.launchpad.net/bugs/423252 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su and sudo
Please use the Release note from the description instead of the one in comment 66. ** Changed in: ubuntu-release-notes Status: Fix Released = Confirmed -- NSS using LDAP+SSL breaks setuid applications like su and sudo https://bugs.launchpad.net/bugs/423252 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su and sudo
** Tags added: regression-release ** Changed in: libgcrypt11 (Ubuntu Lucid) Milestone: None = lucid-updates -- NSS using LDAP+SSL breaks setuid applications like su and sudo https://bugs.launchpad.net/bugs/423252 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su and sudo
Added this text to the release notes: == NSS resolution breaks with LDAP over SSL in Ubuntu Server == Upgrading systems configured to use LDAP via SSL as the first service in the NSS stack (in /etc/nsswitch.conf) leads to broken NSS resolution afterwards such that applications like sudo would stop working. A workaround is to configure the ldap service to be used after the compat service in /etc/nsswitch.conf before the upgrade is started. (Bug:423252) Please reopen if the text needs fixing to mention nscd instead. ** Changed in: ubuntu-release-notes Status: Confirmed = Fix Released -- NSS using LDAP+SSL breaks setuid applications like su and sudo https://bugs.launchpad.net/bugs/423252 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su and sudo
Please use the Release note from the description instead of the one in comment 66. ** Changed in: ubuntu-release-notes Status: Fix Released = Confirmed -- NSS using LDAP+SSL breaks setuid applications like su and sudo https://bugs.launchpad.net/bugs/423252 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su and sudo
** Summary changed: - NSS using LDAP on Karmic breaks 'su' and 'sudo' + NSS using LDAP+SSL breaks setuid applications like su and sudo -- NSS using LDAP+SSL breaks setuid applications like su and sudo https://bugs.launchpad.net/bugs/423252 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su and sudo
** Description changed: On Karmic (alpha 4 plus updates), changing the nsswitch.conf 'passwd' field to anything with 'ldap' as the first item breaks the ability to become root using 'su' and 'sudo' as anyone but root. Default nsswitch.conf: passwd: compat group: compat shadow: compat m...@box:~$ sudo uname -a - [sudo] password for matt: + [sudo] password for matt: Linux box 2.6.31-9-server #29-Ubuntu SMP Sun Aug 30 18:37:42 UTC 2009 x86_64 GNU/Linux m...@box:~$ su - - Password: + Password: r...@box:~# Modified nsswitch.conf with 'ldap' before 'compat': passwd: ldap compat group: ldap compat shadow: ldap compat m...@box:~$ sudo uname -a sudo: setreuid(ROOT_UID, user_uid): Operation not permitted m...@box:~$ su - - Password: + Password: setgid: Operation not permitted Modified nsswitch.conf with 'ldap' after 'compat': passwd: compat ldap group: compat ldap shadow: compat ldap m...@box:~$ sudo uname -a - [sudo] password for matt: + [sudo] password for matt: Linux box 2.6.31-9-server #29-Ubuntu SMP Sun Aug 30 18:37:42 UTC 2009 x86_64 GNU/Linux m...@box:~$ su - - Password: + Password: r...@box:~# The same arrangements in nsswitch.conf work as expected in Jaunty and earlier releases. + + Lucid Release Note: + + == NSS via LDAP+SSL breaks setuid applications like sudo == + + Upgrading systems configured to use ldap over ssl as the first service + in the nss stack (in nsswitch.conf) leads to a broken nss resolution for + setuid applications after the upgrade to Lucid (for example sudo would + stop working). There isn't any simple workaround for now. One option is + to switch to libnss-ldapd in place of libnss-ldap before the upgrade. + Another one consists in using nscd before the upgrade. ** Changed in: ubuntu-release-notes Status: New = Confirmed -- NSS using LDAP+SSL breaks setuid applications like su and sudo https://bugs.launchpad.net/bugs/423252 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su and sudo
The nscd workaround does work for me under Lucid. I haven't had a problem using nscd under 9.10 either, though my systems have very light traffic. -- NSS using LDAP+SSL breaks setuid applications like su and sudo https://bugs.launchpad.net/bugs/423252 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su and sudo
** Summary changed: - NSS using LDAP on Karmic breaks 'su' and 'sudo' + NSS using LDAP+SSL breaks setuid applications like su and sudo -- NSS using LDAP+SSL breaks setuid applications like su and sudo https://bugs.launchpad.net/bugs/423252 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su and sudo
** Description changed: On Karmic (alpha 4 plus updates), changing the nsswitch.conf 'passwd' field to anything with 'ldap' as the first item breaks the ability to become root using 'su' and 'sudo' as anyone but root. Default nsswitch.conf: passwd: compat group: compat shadow: compat m...@box:~$ sudo uname -a - [sudo] password for matt: + [sudo] password for matt: Linux box 2.6.31-9-server #29-Ubuntu SMP Sun Aug 30 18:37:42 UTC 2009 x86_64 GNU/Linux m...@box:~$ su - - Password: + Password: r...@box:~# Modified nsswitch.conf with 'ldap' before 'compat': passwd: ldap compat group: ldap compat shadow: ldap compat m...@box:~$ sudo uname -a sudo: setreuid(ROOT_UID, user_uid): Operation not permitted m...@box:~$ su - - Password: + Password: setgid: Operation not permitted Modified nsswitch.conf with 'ldap' after 'compat': passwd: compat ldap group: compat ldap shadow: compat ldap m...@box:~$ sudo uname -a - [sudo] password for matt: + [sudo] password for matt: Linux box 2.6.31-9-server #29-Ubuntu SMP Sun Aug 30 18:37:42 UTC 2009 x86_64 GNU/Linux m...@box:~$ su - - Password: + Password: r...@box:~# The same arrangements in nsswitch.conf work as expected in Jaunty and earlier releases. + + Lucid Release Note: + + == NSS via LDAP+SSL breaks setuid applications like sudo == + + Upgrading systems configured to use ldap over ssl as the first service + in the nss stack (in nsswitch.conf) leads to a broken nss resolution for + setuid applications after the upgrade to Lucid (for example sudo would + stop working). There isn't any simple workaround for now. One option is + to switch to libnss-ldapd in place of libnss-ldap before the upgrade. + Another one consists in using nscd before the upgrade. ** Changed in: ubuntu-release-notes Status: New = Confirmed -- NSS using LDAP+SSL breaks setuid applications like su and sudo https://bugs.launchpad.net/bugs/423252 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su and sudo
The nscd workaround does work for me under Lucid. I haven't had a problem using nscd under 9.10 either, though my systems have very light traffic. -- NSS using LDAP+SSL breaks setuid applications like su and sudo https://bugs.launchpad.net/bugs/423252 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
