2

I'm trying to setup sudo-ldap in a clean CentOS 7 docker environment. I've successfully setup sssd and PAM authentication, and it works.

However, sudo-ldap works only if !authenticate is set:

dn: cn=test,ou=SUDOers,ou=People,dc=srv,dc=world objectClass: top objectClass: sudoRole cn: test sudoUser: test sudoHost: ALL sudoRunAsUser: ALL sudoCommand: ALL sudoCommand: !/bin/cp sudoOption: !authenticate

When I run sudo cp, I got the following debug logs:

# without !authenticate sudo: searching LDAP for sudoers entries sudo: ldap sudoRunAsUser 'ALL' ... MATCH! sudo: ldap sudoCommand 'ALL' ... MATCH! sudo: ldap sudoCommand '!/bin/cp' ... MATCH! sudo: Command allowed sudo: LDAP entry: 0x55ed4d71b930 sudo: done with LDAP searches sudo: user_matches=true sudo: host_matches=true sudo: sudo_ldap_lookup(0)=0x02 [sudo] password for test: Sorry, try again. # with !authenticate sudo: searching LDAP for sudoers entries sudo: ldap sudoRunAsUser 'ALL' ... MATCH! sudo: ldap sudoCommand 'ALL' ... MATCH! sudo: Command allowed sudo: LDAP entry: 0x564d56cb9960 sudo: done with LDAP searches sudo: user_matches=true sudo: host_matches=true sudo: sudo_ldap_lookup(0)=0x02 sudo: removing reusable search result cp: missing file operand Try 'cp --help' for more information.

I can use the password to login via SSH, but not able to run sudo command, does anyone know what's wrong?

Attached /etc/pam.d/system-auth (sudo is including that file)

#%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_sss.so use_first_pass auth sufficient pam_unix.so try_first_pass nullok auth required pam_deny.so account required pam_unix.so password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= password sufficient pam_sss.so use_authtok password sufficient pam_unix.so try_first_pass use_authtok nullok sha512 shadow password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so session required pam_mkhomedir.so skel=/etc/skel umask=0022
Improve this question

1 Answer 1

Reset to default
1

Interesting, order does matter in PAM. It works if pam_unix come before pam_sss:

auth sufficient pam_unix.so try_first_pass nullok auth sufficient pam_sss.so use_first_pass password sufficient pam_unix.so try_first_pass use_authtok nullok sha512 shadow password sufficient pam_sss.so use_authtok
Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.