Public bug reported: Binary package hint: sudo-ldap
Using sudo-ldap with pam_krb5.so always results in a failure, even if pam_krb5.so returns success. A workaround for this need might be to set sudoOption field to !authenticate, (which will turn off auth) The relevant information in /var/log/auth.log Nov 25 15:01:05 ldap-client-test sudo: pam_krb5(sudo:auth): pam_sm_authenticate: entry (0x8000) Nov 25 15:01:05 ldap-client-test sudo: pam_krb5(sudo:auth): (user andjon) attempting authentication as and...@intrealm.com Nov 25 15:01:10 ldap-client-test sudo: pam_krb5(sudo:auth): user andjon authenticated as and...@intrealm.com Nov 25 15:01:10 ldap-client-test sudo: pam_krb5(sudo:auth): pam_sm_authenticate: exit (success) When running sudo in debug mode: and...@ldap-client-test:~$ sudo /bin/ls LDAP Config Summary =================== uri ldap://ldap.inv.intrealm.com ldap_version 3 sudoers_base ou=clients,ou=sudoers,dc=intrealm,dc=com binddn (anonymous) bindpw (anonymous) bind_timelimit 5000 timelimit 120 ssl (no) use_sasl yes sasl_auth_id (NONE) rootuse_sasl -1 rootsasl_auth_id (NONE) sasl_secprops (NONE) krb5_ccname (NONE) =================== sudo: ldap_initialize(ld, ldap://ldap.inv.intrealm.com) sudo: ldap_set_option: debug -> 0 sudo: ldap_set_option: ldap_version -> 3 sudo: ldap_set_option: timelimit -> 120 sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5) sudo: ldap_sasl_interactive_bind_s() ok sudo: no default options found! sudo: ldap search '(|(sudoUser=andjon)(sudoUser=%unix)(sudoUser=ALL))' sudo: found:cn=root,ou=clients,ou=sudoers,dc=intrealm,dc=com sudo: ldap sudoHost 'ALL' ... MATCH! sudo: ldap sudoRunAsUser 'root' ... MATCH! sudo: ldap sudoCommand 'ALL' ... MATCH! sudo: Command allowed sudo: user_matches=1 sudo: host_matches=1 sudo: sudo_ldap_lookup(0)=0x02 [sudo] password for andjon: Sorry, try again. /etc/sudo-ldap.conf uri ldap://ldap.inv.intrealm.com rootbinddn uid=ro,dc=intrealm,dc=com scope sub timelimit 120 bind_timelimit 5 bind_policy soft idle_timelimit 3600 nss_initgroups_ignoreusers apache,avahi,avahi-autoipd,backup,bin,couchdb,daemon,games,gdm,gnats,gsfish,haldaemon,hplip,htdocs,irc,kernoops,ldap,libuuid,list,lp,mail,man,messagebus,nagios,named,news,proxy,pulse,puppet,root,rtkit,saned,speech-dispatcher,splunk,sync,sys,syslog,tomcat,usbmux,uucp,weblogic,www-data referrals no TLS_REQCERT never use_sasl on pam_sasl_mech GSSAPI GSSAPI_ENCRYPT on GSSAPI_SIGN on sudoers_debug 4 SUDOERS_BASE ou=clients,ou=sudoers,dc=intrealm,dc=com ** Affects: sudo (Ubuntu) Importance: Undecided Status: New -- sudo-ldap fails authentication with pam_krb5.so https://bugs.launchpad.net/bugs/681404 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs