On Monday, 29 August 2011 14:07:39 Naga Chaitanya Palle wrote: > Hi, > > I have configured sudoers in my environment.
You may want to provide more detail on the environment (OS/distro, which LDAP- base naming service - e.g. nss_ldap, pam-nss-ldapd etc. you are using). > But when I try to execute a > command using sudo, the commands fails to get executed saying "sysadmin is > not in the sudoers file. This incident will be reported." . > I am using sysadmin account as mentioned in the below sudoers ldif file. > > login as: sysadmin > [email protected]'s password: > Last login: Mon Aug 29 14:58:50 2011 from 10.150.10.158 > > Could not chdir to home directory /home/sysadmin: No such file or directory Maybe you need to add pam_mkhomedir to /etc/pam.d/system-auth ? > -bash-3.2$ sudo ls > [sudo] password for sysadmin: > sysadmin is not in the sudoers file. This incident will be reported. > -bash-3.2$ sudo -V > Sudo version 1.7.2p1 It would be more instructive to run 'sudo -V' as root. > -bash-3.2$ sudo -l > [sudo] password for sysadmin: > Sorry, user sysadmin may not run sudo on devonly144. > -bash-3.2 > Since some of your sudo rules are group-based, you may want to provide the output of 'id' or 'groups' here. > On Server the sudoers file is > /etc/openldap/slapd.conf > include /usr/share/openldap2.4/schema/sudo.schema > index sudoUser eq > > /etc/openldap/ldap.conf > sudoers_base ou=SUDOers,dc=comverse-in,dc=com This is probably the wrong ldap.conf, this should probably be one of /etc/ldap.conf, /etc/nss_ldap.conf, /etc/sudo-ldap.conf, depending on the distribution. > sudoers.ldif > # SUDOers, comverse-in.com > dn: ou=SUDOers,dc=comverse-in,dc=com > objectClass: top > objectClass: organizationalUnit > ou: SUDOers > > dn: cn=defaults,ou=SUDOers,dc=comverse-in,dc=com > objectClass: top > objectClass: sudoRole > cn: defaults > description: Default sudoOption's go here > sudoOption: syslog=auth > > dn: cn=root,ou=SUDOers,dc=comverse-in,dc=com > objectClass: top > objectClass: sudoRole > cn: root > sudoUser: root > sudoUser: sysadmin > sudoHost: ALL > sudoRunAsUser: ALL > sudoCommand: ALL > > dn: cn=%wheel,ou=SUDOers,dc=comverse-in,dc=com > objectClass: top > objectClass: sudoRole > cn: %wheel > sudoUser: %wheel > sudoHost: ALL > sudoRunAsUser: ALL > sudoCommand: ALL > > dn: cn=operator,ou=SUDOers,dc=comverse-in,dc=com > objectClass: top > objectClass: sudoRole > cn: operator > sudoUser: operator > sudoHost: ALL > sudoCommand: /usr/sbin/dump > sudoCommand: /usr/sbin/rdump > sudoCommand: /usr/sbin/restore > sudoCommand: /usr/sbin/rrestore > sudoCommand: /usr/bin/mt > sudoCommand: /usr/bin/kill > sudoCommand: /usr/sbin/shutdown > sudoCommand: /usr/sbin/halt > sudoCommand: /usr/sbin/reboot > sudoCommand: /usr/sbin/lpc > sudoCommand: /usr/bin/lprm > sudoCommand: sudoedit /etc/printcap > sudoCommand: /usr/oper/bin/ > > dn: cn=ALL,ou=SUDOers,dc=comverse-in,dc=com > objectClass: top > objectClass: sudoRole > cn: ALL > sudoUser: ALL > sudoHost: orion > sudoCommand: /sbin/umount /CDROM > sudoCommand: /sbin/mount -o nosuid\ > sudoCommand: nodev /dev/cd0a /CDROM > sudoOption: !authenticate > > > On client: > /etc/ldap.conf > sudoers_base ou=SUDOers,dc=comverse-in,dc=com > nss_base_passwd ou=People,dc=comverse-in,dc=com?one > nss_base_shadow ou=People,dc=comverse-in,dc=com?one > nss_base_group ou=Group,dc=comverse-in,dc=com?one Please check that this is the correct configuration file, according to 'sudo - V' output as root. > > /etc/pam.d/login > #%PAM-1.0 > auth [user_unknown=ignore success=ok ignore=ignore default=bad] > pam_securetty.so auth include system-auth > auth required pam_securetty.so > auth sufficient pam_ldap.so > auth required pam_stack.so service=system-auth > auth required pam_nologin.so > > account required pam_nologin.so > account include system-auth > account sufficient pam_ldap.so > account required pam_stack.so service=system-auth > > password include system-auth > password sufficient pam_ldap.so > password required pam_stack.so service=system-auth > > # pam_selinux.so close should be the first session rule > session required pam_selinux.so close > session include system-auth > session required pam_loginuid.so > session optional pam_console.so > # pam_selinux.so open should only be followed by sessions to be executed in > the user context session required pam_selinux.so open > session optional pam_keyinit.so force revoke > session sufficient pam_ldap.so > session required pam_stack.so service=system-auth > session optional pam_console.so > session required /lib/security/pam_limits.so In most environments it is preferable to configure LDAP authentication in a single service file that is referenced by the others, in this case /etc/pam.d/system-auth, rather than the individual service files. > > /etc/nsswitch.conf > passwd: ldap files > shadow: ldap files > group: ldap files In 1.7.x you may need to add: sudoers: files ldap or similar to /etc/nsswitch.conf (depending on the sudo build-time configuration, which you can see with 'sudo -V' as root). Regards, Buchan
