Mauricio Tavares
2014-Jan-19 23:12 UTC
[CentOS] sudo (+ldap+kerberos) not accepting password
So I have this centos 5.10 box which authenticates network users against ldap(authorizing)+kerberos(authentication). And I now would like to have sudo be able to allow admins (netgroup chinbeards) to sudo about. I am not using sssd though (yet). Here is the output of me trying sudo (debug on): [raub at centos5-x64 ~]$ sudo pwd LDAP Config Summary ==================uri ldap://idir1.internal.domain.com/ ldap://idir2.internal.domain.com/ ldap_version 3 sudoers_base ou=SUDOers,dc=domain,dc=com binddn (anonymous) bindpw (anonymous) bind_timelimit 120000 timelimit 120 ssl start_tls tls_cacertdir /etc/openldap/cacerts ==================sudo: ldap_initialize(ld, ldap://idir1.internal.domain.com/ ldap://idir2.internal.domain.com/) sudo: ldap_set_option: debug -> 0 sudo: ldap_set_option: ldap_version -> 3 sudo: ldap_set_option: tls_cacertdir -> /etc/openldap/cacerts sudo: ldap_set_option: timelimit -> 120 sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 120) sudo: ldap_start_tls_s() ok sudo: ldap_sasl_bind_s() ok sudo: found:cn=defaults,ou=SUDOers,dc=domain,dc=com sudo: ldap sudoOption: 'env_keep+=SSH_AGENT_PID' sudo: ldap sudoOption: 'env_keep+=SSH_AUTH_SOCK' sudo: ldap sudoOption: 'env_keep+=SVN_SSH' sudo: ldap sudoOption: 'env_reset' sudo: ldap sudoOption: 'ignore_local_sudoers' sudo: ldap search '(|(sudoUser=raub)(sudoUser=%raub)(sudoUser=%chinbeards)(sudoUser=ALL))' sudo: ldap search 'sudoUser=+*' sudo: found:cn=defaults,ou=SUDOers,dc=domain,dc=com sudo: ldap sudoUser netgroup '+chinbeards' ... MATCH! sudo: ldap sudoHost 'ALL' ... MATCH! sudo: ldap sudoCommand 'ALL' ... MATCH! sudo: Command allowed sudo: ldap sudoOption: 'env_keep+=SSH_AGENT_PID' sudo: ldap sudoOption: 'env_keep+=SSH_AUTH_SOCK' sudo: ldap sudoOption: 'env_keep+=SVN_SSH' sudo: ldap sudoOption: 'env_reset' sudo: ldap sudoOption: 'ignore_local_sudoers' sudo: user_matches=1 sudo: host_matches=1 sudo: sudo_ldap_lookup(0)=0x02 [sudo] password for raub: It seems to me that it had no issues finding that I belong to the netgroup chinbeards (allowed to sudo), and realizing I can do a command. So, to me the sudo+ldap part of the transaction (authorization, kinda of what is mentioned in http://www.sudo.ws/sudoers.ldap.man.html and http://www.gratisoft.us/sudo/readme_ldap.html) seem to be fine. But, in the next step -- it asks for password -- is when things get interesting. At this point I would expect it to pass that to pam, which would then autenticate me with kerberos (I wonder if it would work by checking if I have a valid kerberos ticket. That is what happens when I, say, do ldapsearch. but I digress). But, according to /var/log/secure, Jan 17 10:07:13 centos5-x64 sudo: pam_unix(sudo:auth): authentication failure; logname=raub uid=0 euid=0 tty=/dev/pts/0 ruser= rhostuser=raub It seems to have failed to authenticate me. Would it be due to pam not knowing about kerberos? Reading http://www.centos.org/docs/5/html/5.2/Deployment_Guide/s1-kerberos-pam.html, should I be able to get pam_krb5 in, say, /etc/pam.d/system-auth like this: #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_krb5.so use_first_pass auth required pam_deny.so account required pam_unix.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_krb5.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_krb5.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_mkhomedir.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_krb5.so
Mauricio Tavares
2014-Jan-20 07:49 UTC
[CentOS] sudo (+ldap+kerberos) not accepting password
On Sun, Jan 19, 2014 at 6:12 PM, Mauricio Tavares <raubvogel at gmail.com> wrote:> So I have this centos 5.10 box which authenticates network users > against ldap(authorizing)+kerberos(authentication). And I now would > like to have sudo be able to allow admins (netgroup chinbeards) to > sudo about. I am not using sssd though (yet). > > Here is the output of me trying sudo (debug on): > > [raub at centos5-x64 ~]$ sudo pwd > LDAP Config Summary > ==================> uri ldap://idir1.internal.domain.com/ > ldap://idir2.internal.domain.com/ > ldap_version 3 > sudoers_base ou=SUDOers,dc=domain,dc=com > binddn (anonymous) > bindpw (anonymous) > bind_timelimit 120000 > timelimit 120 > ssl start_tls > tls_cacertdir /etc/openldap/cacerts > ==================> sudo: ldap_initialize(ld, ldap://idir1.internal.domain.com/ > ldap://idir2.internal.domain.com/) > sudo: ldap_set_option: debug -> 0 > sudo: ldap_set_option: ldap_version -> 3 > sudo: ldap_set_option: tls_cacertdir -> /etc/openldap/cacerts > sudo: ldap_set_option: timelimit -> 120 > sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 120) > > sudo: ldap_start_tls_s() ok > sudo: ldap_sasl_bind_s() ok > sudo: found:cn=defaults,ou=SUDOers,dc=domain,dc=com > sudo: ldap sudoOption: 'env_keep+=SSH_AGENT_PID' > sudo: ldap sudoOption: 'env_keep+=SSH_AUTH_SOCK' > sudo: ldap sudoOption: 'env_keep+=SVN_SSH' > sudo: ldap sudoOption: 'env_reset' > sudo: ldap sudoOption: 'ignore_local_sudoers' > sudo: ldap search > '(|(sudoUser=raub)(sudoUser=%raub)(sudoUser=%chinbeards)(sudoUser=ALL))' > sudo: ldap search 'sudoUser=+*' > sudo: found:cn=defaults,ou=SUDOers,dc=domain,dc=com > sudo: ldap sudoUser netgroup '+chinbeards' ... MATCH! > sudo: ldap sudoHost 'ALL' ... MATCH! > sudo: ldap sudoCommand 'ALL' ... MATCH! > sudo: Command allowed > sudo: ldap sudoOption: 'env_keep+=SSH_AGENT_PID' > sudo: ldap sudoOption: 'env_keep+=SSH_AUTH_SOCK' > sudo: ldap sudoOption: 'env_keep+=SVN_SSH' > sudo: ldap sudoOption: 'env_reset' > sudo: ldap sudoOption: 'ignore_local_sudoers' > sudo: user_matches=1 > sudo: host_matches=1 > sudo: sudo_ldap_lookup(0)=0x02 > [sudo] password for raub: > > It seems to me that it had no issues finding that I belong to the > netgroup chinbeards (allowed to sudo), and realizing I can do a > command. So, to me the sudo+ldap part of the transaction > (authorization, kinda of what is mentioned in > http://www.sudo.ws/sudoers.ldap.man.html and > http://www.gratisoft.us/sudo/readme_ldap.html) seem to be fine. > > But, in the next step -- it asks for password -- is when things get > interesting. At this point I would expect it to pass that to pam, > which would then autenticate me with kerberos (I wonder if it would > work by checking if I have a valid kerberos ticket. That is what > happens when I, say, do ldapsearch. but I digress). But, according to > /var/log/secure, > > Jan 17 10:07:13 centos5-x64 sudo: pam_unix(sudo:auth): authentication > failure; logname=raub uid=0 euid=0 tty=/dev/pts/0 ruser= rhost> user=raub > > It seems to have failed to authenticate me. Would it be due to pam not > knowing about kerberos? > > Reading http://www.centos.org/docs/5/html/5.2/Deployment_Guide/s1-kerberos-pam.html, > should I be able to get pam_krb5 in, say, /etc/pam.d/system-auth like > this: > > #%PAM-1.0 > # This file is auto-generated. > # User changes will be destroyed the next time authconfig is run. > auth required pam_env.so > auth sufficient pam_unix.so nullok try_first_pass > auth requisite pam_succeed_if.so uid >= 500 quiet > auth sufficient pam_krb5.so use_first_pass > auth required pam_deny.so > > account required pam_unix.so > account sufficient pam_succeed_if.so uid < 500 quiet > account [default=bad success=ok user_unknown=ignore] pam_krb5.so > account required pam_permit.so > > password requisite pam_cracklib.so try_first_pass retry=3 > password sufficient pam_unix.so sha512 shadow nullok > try_first_pass use_authtok > password sufficient pam_krb5.so use_authtok > password required pam_deny.so > > session optional pam_keyinit.so revoke > session required pam_limits.so > session optional pam_mkhomedir.so > session [success=1 default=ignore] pam_succeed_if.so service in > crond quiet use_uid > session required pam_unix.so > session optional pam_krb5.soOk, I am not saying what I wrote above is proper, but the auth entry is enough to satisfy sudo. But, how now I tell authconfig to edit the file properly? The way I did it was authconfig --enableldap --enableldaptls --ldapserver=idir1.internal.domain.com,idir2.internal.domain.com --ldapbasedn=dc=domain,dc=com --enablekrb5 --passalgo=sha512 --disablemd5 --update but that does not seem to add the line to /etc/pam.d/system-auth to tell it that kerberos is in the house.