[rhn-users] RHSA-2010:0122 sudo stopped authentificate with LDAP

Fri Mar 26 10:05:42 UTC 2010

On 03/26/2010 12:59 PM, Evgeniy Ginzburg wrote:
> Hello. After applying today RHSA-2010:0122 sudo stopped to
> authentificate users in LDAP sudoers.
> Users/groups in local /etc/sudoers are OK.
>
> tail /var/log/secure
> ============================================================
>
> Mar 26 05:57:10 nladmin03 sudo: eginzburg : user NOT in sudoers ;
> TTY=pts/0 ; PWD=/home/eginzburg ; USER=root ; COMMAND=/bin/ls
> Mar 26 05:57:15 nladmin03 su: pam_unix(su:auth): authentication failure;
> logname=eginzburg uid=2595 euid=0 tty=pts/0 ruser=eginzburg rhost=
> user=root
>
>
> cat /etc/pam.d/sudo
> ============================================================
>
> #%PAM-1.0
> auth include system-auth
> account include system-auth
> password include system-auth
> session optional pam_keyinit.so revoke
> session required pam_limits.so
>
> cat /etc/pam.d/system-auth
> ============================================================
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth required pam_env.so
> auth sufficient pam_unix.so nullok try_first_pass
> auth requisite pam_succeed_if.so uid >= 500 quiet
> auth sufficient pam_ldap.so use_first_pass
> auth required pam_deny.so
>
> account required pam_unix.so broken_shadow
> account sufficient pam_localuser.so
> account sufficient pam_succeed_if.so uid < 500 quiet
> account [default=bad success=ok user_unknown=ignore] pam_ldap.so
> account required pam_permit.so
>
> password requisite pam_cracklib.so try_first_pass retry=3
> password sufficient pam_unix.so md5 shadow nullok try_first_pass
> use_authtok
> password sufficient pam_ldap.so use_authtok
> password required pam_deny.so
>
> session optional pam_keyinit.so revoke
> session required pam_limits.so
> session [success=1 default=ignore] pam_succeed_if.so service in crond
> quiet use_uid
> session required pam_unix.so
> session optional pam_ldap.so
> session optional pam_mkhomedir.so skel=/etc/skel/ umask=0022
> ============================================================
It's related to
https://bugzilla.redhat.com/show_bug.cgi?id=506945

After adding
"sudoers:   files ldap"
to nsswitch.conf everything works OK.