[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd
Re #120 (adam-stokes) The best workable solution for me would be working official packages for Lucid and Pangolin. Working LDAP authn/z over TLS is baseline functionality for us (servers and academic computer labs). I've had no problems with the patch from #73 thus far on our Lucid servers. Most traffic is Apache php/suexec. Day to day use is sudo/su for sysadmins. Have not noticed any side effects. We've been running this way since 2011-04-11. Currently planning to test nutznbotz #113 gnutls using nettle and adejong #119 nss-pam-ldapd, but not until summer when we test Pangolin for production. Thanks canonical folks and patch contributors for all the great work on this. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in Ubuntu. https://bugs.launchpad.net/bugs/423252 Title: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/423252/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd
Just a follow up to #106. We have been running with the libgcrypt11 patch from #73 with a couple thousand openldap and AD users using Apache2/phpsuexec on Lucid 10.04.2 64 bit for months now with no troubles. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in Ubuntu. https://bugs.launchpad.net/bugs/423252 Title: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-release-notes/+bug/423252/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd
I just tried Howard's patch from #73 this morning, using the libgcrypt11_1.4.4-5ubuntu2_amd64.deb source files to roll a new libgcrypt11 package. I can now su to root from accounts not in the local password file database, before I could not. That was on a Lucid 10.04.2 LTS vm. Next week sometime we might be able to test Apache2/phpsuexec for a larger base of user accounts. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in Ubuntu. https://bugs.launchpad.net/bugs/423252 Title: NSS using LDAP+SSL breaks setuid applications like su, sudo, apache2 suexec, and atd -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 423252] Re: NSS using LDAP on Karmic breaks 'su' and 'sudo'
Finally got a chance to revisit this after post #29 above. For that servers config I still had a local /etc/passwd entry for the affected account and so was not triggering the described su and sudo symptoms. On Karmic with: libnss-ldap 261-2.1ubuntu4 sudo 1.7.0-1ubuntu2.1 login 1:4.1.4.1-1ubuntu2 Without an /etc/passwd entry and an otherwise working libnss-ldap setup sudo returns sudo: setreuid(ROOT_UID, user_uid): Operation not permitted and su fails with su: Authentication failure Tests: With libnss-ldap, su and sudo fail. With nscd and libnss-ldap, su and sudo work. With libnss-ldapd, with or without nscd, su and sudo work. As root, getent returns passwd entries correctly for all the above cases. -- NSS using LDAP on Karmic breaks 'su' and 'sudo' https://bugs.launchpad.net/bugs/423252 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
