sudo (+ldap+kerberos) not accepting password

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



So I have this centos 5.10 box which authenticates network users
against ldap(authorizing)+kerberos(authentication). And I now would
like to have sudo be able to allow admins (netgroup chinbeards) to
sudo about. I am not using sssd though (yet).

Here is the output of me trying sudo (debug on):

[raub@centos5-x64 ~]$ sudo pwd
LDAP Config Summary
===================
uri              ldap://idir1.internal.domain.com/
ldap://idir2.internal.domain.com/
ldap_version     3
sudoers_base     ou=SUDOers,dc=domain,dc=com
binddn           (anonymous)
bindpw           (anonymous)
bind_timelimit   120000
timelimit        120
ssl              start_tls
tls_cacertdir    /etc/openldap/cacerts
===================
sudo: ldap_initialize(ld, ldap://idir1.internal.domain.com/
ldap://idir2.internal.domain.com/)
sudo: ldap_set_option: debug -> 0
sudo: ldap_set_option: ldap_version -> 3
sudo: ldap_set_option: tls_cacertdir -> /etc/openldap/cacerts
sudo: ldap_set_option: timelimit -> 120
sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 120)

sudo: ldap_start_tls_s() ok
sudo: ldap_sasl_bind_s() ok
sudo: found:cn=defaults,ou=SUDOers,dc=domain,dc=com
sudo: ldap sudoOption: 'env_keep+=SSH_AGENT_PID'
sudo: ldap sudoOption: 'env_keep+=SSH_AUTH_SOCK'
sudo: ldap sudoOption: 'env_keep+=SVN_SSH'
sudo: ldap sudoOption: 'env_reset'
sudo: ldap sudoOption: 'ignore_local_sudoers'
sudo: ldap search
'(|(sudoUser=raub)(sudoUser=%raub)(sudoUser=%chinbeards)(sudoUser=ALL))'
sudo: ldap search 'sudoUser=+*'
sudo: found:cn=defaults,ou=SUDOers,dc=domain,dc=com
sudo: ldap sudoUser netgroup '+chinbeards' ... MATCH!
sudo: ldap sudoHost 'ALL' ... MATCH!
sudo: ldap sudoCommand 'ALL' ... MATCH!
sudo: Command allowed
sudo: ldap sudoOption: 'env_keep+=SSH_AGENT_PID'
sudo: ldap sudoOption: 'env_keep+=SSH_AUTH_SOCK'
sudo: ldap sudoOption: 'env_keep+=SVN_SSH'
sudo: ldap sudoOption: 'env_reset'
sudo: ldap sudoOption: 'ignore_local_sudoers'
sudo: user_matches=1
sudo: host_matches=1
sudo: sudo_ldap_lookup(0)=0x02
[sudo] password for raub:

It seems to me that it had no issues finding that I belong to the
netgroup chinbeards (allowed to sudo), and realizing I can do a
command. So, to me the sudo+ldap part of the transaction
(authorization, kinda of what is mentioned in
http://www.sudo.ws/sudoers.ldap.man.html and
http://www.gratisoft.us/sudo/readme_ldap.html) seem to be fine.

But, in the next step -- it asks for password -- is when things get
interesting. At this point I would expect it to pass that to pam,
which would then autenticate me with kerberos (I wonder if it would
work by checking if I have a valid kerberos ticket. That is what
happens when I, say, do ldapsearch. but I digress). But, according to
/var/log/secure,

Jan 17 10:07:13 centos5-x64 sudo: pam_unix(sudo:auth): authentication
failure; logname=raub uid=0 euid=0 tty=/dev/pts/0 ruser= rhost=
user=raub

It seems to have failed to authenticate me. Would it be due to pam not
knowing about kerberos?

Reading http://www.centos.org/docs/5/html/5.2/Deployment_Guide/s1-kerberos-pam.html,
should I be able to get pam_krb5 in, say, /etc/pam.d/system-auth like
this:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_krb5.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_krb5.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so sha512 shadow nullok
try_first_pass use_authtok
password    sufficient    pam_krb5.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional      pam_mkhomedir.so
session     [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_krb5.so
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos




[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux