# Sudo and LDAP

## esoteriskdk

My box is using full PAM authentication via LDAP, so the only user to exist locally on the machine is root. Everything works fine (except a small bug with ooffice), but sudo isn't working at all. Whenever I try to do one it says

```
sudo: uid 1004 does not exist in the passwd file!
```

Which of course is correct, but it shouldn't need to be. I could write a script that imports the LDAP users into the local passwd, group etc. files, or I could just add the users manually. But I'm really keen on keeping it pure LDAP.

Is it even possible to avoid adding the user locally and still use sudo?

----------

## remi2402

sudo has its own entry in /etc/pam.d/

Make sure that this one also uses ldap for user auth.

In doubt, I think it's safe to include system-auth or login just like most of the other modules

Hope that helps

Rémi

----------

## esoteriskdk

This is my /etc/pam.d/sudo

```
auth            include         system-auth

account         include         system-auth

password        include         system-auth

session         include         system-auth
```

and /etc/pam.d/system-auth

```
auth            required        /lib/security/pam_env.so

auth            sufficient      /lib/security/pam_unix.so likeauth nullok shadow

auth            sufficient      /lib/security/pam_ldap.so use_first_pass

auth            required        /lib/security/pam_deny.so

account         required        /lib/security/pam_unix.so

account         sufficient      /lib/security/pam_ldap.so

password        required        /lib/security/pam_cracklib.so retry=3

password        sufficient      /lib/security/pam_unix.so nullok use_authtok shadow md5

password        sufficient      /lib/security/pam_ldap.so use_authtok

password        required        /lib/security/pam_deny.so

session         required        /lib/security/pam_limits.so

session         required        /lib/security/pam_unix.so

session         required        /lib/security/pam_mkhomedir.so skel=/etc/skel/ umask=0

session         optional        /lib/security/pam_ldap.so
```

I've temporarely just copy/pasted the userinfo from LDAP to /etc/passwd and it works. But it's a bad workaround IMO.

----------

## Ardvaark

I am having the same problem, and my guess for now is that it's a linking issue of some kind - namely that the getpwid() function is not being linked to the one that goes through the NSS subsystem by the sudo build process.  My reasoning?

Well, I created a little test program:

```
#include <stdio.h>

#include <pwd.h>

#include <sys/types.h>

int main()

{

  struct passwd *pw;

  pw = getpwuid(1000);

  if (pw == NULL) {

    printf("NULL!\n");

  }

  else {

    printf("name: %s\n", pw->pw_name);

  }

}

```

It correctly prints out my LDAP-only username.

```
[root@scandium ~/work](209)# ./a.out

name: brian
```

I then modified the sudo package, changing sudo_getpwuid() to print out the uid it was getting, and if it got NULL for some reason.  When run from within sudo, it seems that getpwuid() doesn't find the LDAP user.  From my modified getspwuid.c:

```

/*

 * Get a password entry by uid and allocate space for it.

 * Fills in pw_passwd from shadow file if necessary.

 */

struct passwd *

sudo_getpwuid(uid)

    uid_t uid;

{

    struct passwd *pw;

    printf("got uid: %d\n", uid);

    if ((pw = getpwuid(uid)) == NULL) {

      printf("NULL\n");

      return NULL;

    }

    else

        return(sudo_pwdup(pw));

}

```

The result:

```
[root@scandium ~/sudo-1.6.8p9](222)# su brian

scandium /root/sudo-1.6.8p9> ./sudo -l

got uid: 1000

NULL

sudo: uid 1000 does not exist in the passwd file!

```

Finally, the last clue is that I had an VM with a portage snapshot from a month or so ago.  When I installed LDAP and sudo onto the VM, it all worked correctly.  I'm now in the process of bringing my VM up-to-date to see if it starts to fail.

I'm still goofing with this.  If I figure anything out, I'll let you know.

----------

## Ardvaark

Okay, I'm still not sure what's going on, but it seems other things have had problems with LDAP library version dependencies.

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=325120

While this is for pam_ldap.... ?

----------

## Ardvaark

Okay, I've created a bug.  We'll see where it ends up.

sudo fails to find LDAP users, despite NSS (seemingly?) working correctly

----------

## remi2402

That's really weird because I have about 15 boxes using LDAP and sudo for root access and everything's been working great for about a year.

Could you post your /etc/nsswitch.conf here so I can compare with mine ?

EDIT: post getent passwd too.

Rémi

----------

## esoteriskdk

/etc/nsswitch.conf

```
# /etc/nsswitch.conf:

# $Header: /var/cvsroot/gentoo-x86/sys-libs/glibc/files/nsswitch.conf,v 1.1 2005/05/17 00:52:41 vapier Exp $

passwd:         files ldap

group:          files ldap

shadow:         files ldap

# passwd:    db files nis

# shadow:    db files nis

# group:     db files nis

hosts:       files dns

networks:    files dns

services:    db files

protocols:   db files

rpc:         db files

ethers:      db files           

netmasks:    files              

netgroup:    files              

bootparams:  files              

                                

automount:   files              

aliases:     files
```

If I put ldap before files, the system hangs at boot.

```
getent passwd|grep -vf /etc/passwd
```

Just display all the users that doesn't exist locally on the machine. Like so

```
luser1:x:1000:100:luser1:/home/luser1:/bin/bash

luser2:x:1001:100:luser2:/home/luser2:/bin/bash
```

etc. etc.

----------

## Ardvaark

The only thing I changed was passwd, shadow, and group to files ldap.

```

# /etc/nsswitch.conf:

# $Header: /var/cvsroot/gentoo-x86/sys-libs/glibc/files/nsswitch.conf,v 1.1 2005/05/17 00:52:41 vapier Exp $

passwd:      files ldap

shadow:      files ldap

group:       files ldap

# passwd:    db files nis

# shadow:    db files nis

# group:     db files nis

hosts:       files dns

networks:    files dns

services:    db files

protocols:   db files

rpc:         db files

ethers:      db files

netmasks:    files

netgroup:    files

bootparams:  files

automount:   files

aliases:     files

```

Similarly, with names changed to protect the innocent:

```
[root@scandium lib](716)# getent passwd | grep -vf /etc/passwd

foo:x:1000:100:Foo:/home/foo:/bin/tcsh

bar:x:1001:100:Bar:/home/bar:/bin/bash

```

----------

## remi2402

In my nsswitch.conf, I have "ldap" before "files".

Maybe when "files" fails to find a user, it does not go to ldap to try and find it there.

Also, do you use a group for sudo or user names ?

Rémi

----------

## esoteriskdk

If I put ldap before files, the box fails to boot further than the kernel startup, this goes for both the clients and the server. I thought it was because it's trying to authenticate the root user through LDAP, before network or anything else is set up. So I'm surprised that somebody has that working. Could you please post your "rc-update -s" ?

I've tried with both group and users for sudoers and neither works.

----------

## gatty1

I just stumbled across exactly the same problem after updating OpenLDAP etc. last night.  Re-emerging sudo without the ldap USE flag worked for me:

```
USE="-ldap" emerge app-admin/sudo
```

Before doing this I got:

```
ajg@darkstone ~ $ sudo bash -l

sudo: uid 31383 does not exist in the passwd file!
```

And now:

```
ajg@darkstone ~ $ sudo bash -l

Password:

darkstone ~ # 
```

Hope this helps,

Andy.

----------

## esoteriskdk

It sure did!

Without the "ldap" useflag, sudo now works perfect via ldap. I even re-emerged with the flag just to be sure and it failed again.

Quite amusing, I know that sudo can use an LDAP database instead of /etc/sudoers, maybe this is what the ldap flag implies. Yet it shouldn't break the PAM authentication.

Going to make a note on the bugpage.

----------

## Ardvaark

If I emerge with -ldap, sudo works correctly with regards to the passwd file, but it no longer reads the sudoers information from LDAP.

For example, with -ldap:

```
scandium /home/brian> sudo -l

Sorry, user brian may not run sudo on scandium.

```

But the LDAP server never gets hit for sudoers.

----------

## remi2402

on my boxes sudo has been built with +pam and +ldap.

Now if you say your box freezes at boot, it's probably because you have a root user in your ldap tree. Although it's doable, it's not a good idea to have one. That's one of the reasons I used sudo in the first place. Global rights but local root passwords for every box.

----------

## mroch

sudo works for me with and without the ldap USE flag.  However, groups don't work because the system groups come before the LDAP groups:

mroch@ldap ~ $ getent group | grep wheel

wheel::10:root

wheel:x:10:root,mroch

As you can see, I'm a member of the second group which isn't being used.  I'm going to see what happens if I delete the system groups... but before I do, anyone have a reason not to?

----------

## mroch

```
mv /etc/passwd{,.bak}; mv /etc/groups{,.bak}
```

did the trick for sudo.  Hopefully nothing else will be broken.

----------

## remi2402

mroch, that's not a good idea 'cause if your ldap is down, then your box is useless.

I suggest swapping the positions of "files" and "ldap" in /etc/nsswitch.conf. This way you can have your ldap server override local groups, should you need it.

Rémi

----------

## Ardvaark

The root cause problem has been found.  There's a description, patch, and updated ebuild in the bug report.

----------

