[Bug 681404] [NEW] sudo-ldap fails authentication with pam_krb5.so

Andreas Jonsson Thu, 25 Nov 2010 06:41:37 -0800

Public bug reported:

Binary package hint: sudo-ldap


Using sudo-ldap with pam_krb5.so always results in a failure, even if 
pam_krb5.so returns success. 
A workaround for this need might be to set sudoOption field to !authenticate, 
(which will turn off auth)

The relevant information in /var/log/auth.log 
Nov 25 15:01:05 ldap-client-test sudo: pam_krb5(sudo:auth): 
pam_sm_authenticate: entry (0x8000)
Nov 25 15:01:05 ldap-client-test sudo: pam_krb5(sudo:auth): (user andjon) 
attempting authentication as and...@intrealm.com
Nov 25 15:01:10 ldap-client-test sudo: pam_krb5(sudo:auth): user andjon 
authenticated as and...@intrealm.com
Nov 25 15:01:10 ldap-client-test sudo: pam_krb5(sudo:auth): 
pam_sm_authenticate: exit (success)

When running sudo in debug mode:

and...@ldap-client-test:~$ sudo /bin/ls
LDAP Config Summary
===================
uri              ldap://ldap.inv.intrealm.com
ldap_version     3
sudoers_base     ou=clients,ou=sudoers,dc=intrealm,dc=com
binddn           (anonymous)
bindpw           (anonymous)
bind_timelimit   5000
timelimit        120
ssl              (no)
use_sasl         yes
sasl_auth_id     (NONE)
rootuse_sasl     -1
rootsasl_auth_id (NONE)
sasl_secprops    (NONE)
krb5_ccname      (NONE)
===================
sudo: ldap_initialize(ld, ldap://ldap.inv.intrealm.com)
sudo: ldap_set_option: debug -> 0
sudo: ldap_set_option: ldap_version -> 3
sudo: ldap_set_option: timelimit -> 120
sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5)

sudo: ldap_sasl_interactive_bind_s() ok
sudo: no default options found!
sudo: ldap search '(|(sudoUser=andjon)(sudoUser=%unix)(sudoUser=ALL))'
sudo: found:cn=root,ou=clients,ou=sudoers,dc=intrealm,dc=com
sudo: ldap sudoHost 'ALL' ... MATCH!
sudo: ldap sudoRunAsUser 'root' ... MATCH!
sudo: ldap sudoCommand 'ALL' ... MATCH!
sudo: Command allowed
sudo: user_matches=1
sudo: host_matches=1
sudo: sudo_ldap_lookup(0)=0x02
[sudo] password for andjon: 
Sorry, try again.


/etc/sudo-ldap.conf
uri ldap://ldap.inv.intrealm.com
rootbinddn uid=ro,dc=intrealm,dc=com
scope sub
timelimit 120
bind_timelimit 5
bind_policy soft
idle_timelimit 3600
nss_initgroups_ignoreusers 
apache,avahi,avahi-autoipd,backup,bin,couchdb,daemon,games,gdm,gnats,gsfish,haldaemon,hplip,htdocs,irc,kernoops,ldap,libuuid,list,lp,mail,man,messagebus,nagios,named,news,proxy,pulse,puppet,root,rtkit,saned,speech-dispatcher,splunk,sync,sys,syslog,tomcat,usbmux,uucp,weblogic,www-data
referrals no
TLS_REQCERT never
use_sasl on
pam_sasl_mech GSSAPI
GSSAPI_ENCRYPT on
GSSAPI_SIGN on
sudoers_debug 4
SUDOERS_BASE ou=clients,ou=sudoers,dc=intrealm,dc=com

** Affects: sudo (Ubuntu)
     Importance: Undecided
         Status: New

-- 
sudo-ldap fails authentication with pam_krb5.so
https://bugs.launchpad.net/bugs/681404
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 681404] [NEW] sudo-ldap fails authentication with pam_krb5.so

Reply via email to