sudoers file with groups in LDAP


















Hello gurus,



I've been working on a sudoers file to work with groups in LDAP. I've created the groups in LDAP and added the users to there respective groups. I've also setup my sudoers file to have the groups match what is in LDAP. And I've added ldap to nsswitch.conf in the group line. The problem is that when a user tries to sudo to a user within their group(s) it errors out saying the user is not in the sudoers file. Also, when I do 'id -a username' it will show the uid, the gid and the group. Has anyone done this before, and if so, what am I missing?



Thanks,



==============================



nsswitch.conf

group: files nis ldap



sample of my sudoers file

##################

# User alias specification #

##################



User_Alias SYSADMIN=%sysadmin

User_Alias DBADMIN=%dba



##################

#Cmnd alias specification#

##################



#GID 14 SYSADMIN is for System Administrators who require ROOT access

# !!!NOTE - THIS GROUP GIVES ROOT ACCESS ON ALL SYSTEMS!!!!

Cmnd_Alias ROOTSHELLS =\

/bin/su -, \

/bin/sh, \

/bin/csh, \

/bin/bash, \

/usr/bin/bash, \

/bin/ksh





#GID 101 DBADMIN is used primarily for the DBA group

Cmnd_Alias DB_ADMIN=\

/bin/su - , \

/bin/sh , \

/bin/csh , \

/bin/su - oracle, \

/bin/kill ?*, \

/bin/rm -i ?*





#####################

# User privilege specification #

#####################



root ALL=(ALL) ALL

SYSADMIN ALL_SERVERS = NOPASSWD:ROOTSHELLS

DBADMIN ALL_SERVERS = DB_ADMIN


















































We do this all the time but we don't use NIS, just LDAP. I have noticed some language at Sun's site that the two don't mix. Only one I can find right now: passwd(1) - change login password and password attributes (man pages section 1: User Commands) - Sun Microsystems











If all requirements are met, by default, the passwd command will consult /etc/nsswitch.conf to determine in which repositories to perform password update. It searches the passwd and passwd_compat entries. The sources (repositories) associated with these entries will be updated. However, the password update configurations supported are limited to the following cases. Failure to comply with the configurations will prevent users from logging onto the system. The password update configurations are:



passwd: files



passwd: files ldap



passwd: files nis



passwd: files nisplus



passwd: compat (==> files nis)



passwd: compat (==> files ldap)



passwd_compat: ldap



passwd: compat (==> files nisplus)



passwd_compat: nisplus




















































our passwd line looks like so:



passwd: files nis compat



the weird part about this, is that i was testing this on our dr servers and it worked fine. i also had a user test this from a different group and it worked fine as well. but when i attempt to do this on a prod server, i get the error, user abc is not in sudoers....



and our dr servers are setup exactly the same as our prod servers.


















































Same os version and patch levels?



























































Originally Posted by Perderabo
View Post

Same os version and patch levels?



yep. all the same


















































Then I'm stumped. But I bet it will work if you drop NIS.


















































yeah...i think i got it figured out. i'm going to play around with it some more and i'll post my results after i test it IF it's successful. but thanks for your help perderabo!






































Source: Solaris

More

  • T-025: Vulnerabilities in Microsoft XML Core Services
    A remote code execution vulnerability exists in the way that Microsoft XML Core Services parses XML content. The vulnerability could allow remote code execution if a user browses a Web site that contains specially crafted content or opens specially crafted HTML e-mail. The risk is MEDIUM. An attacker who
  • T-023: Multiple Vulnerabilities in Cisco PIX and Cisco ASA
    Multiple vulnerabilities exist in the Cisco ASA 5500 Series Adaptive Security Appliances and Cisco PIX Security Appliances: 1) Windows NT domain authentication bypass; 2) IPv6 Denial of Service; and 3) Crypto Accelerator memory leak. NOTE: These vulnerabilities are independent of each other. A device may be affected by one
  • T-022: OpenOffice.org Security Vulnerabilities
    Several vulnerabilities have been discovered in the OpenOffice.org office suite, in the WMF file parser and in the EMF file parser that can be triggered by manipulated WMF and EMF files and can lead to heap overflows and arbitrary code execution. The risk is MEDIUM. This can lead to heap overflows and arbitrary code
  • T-021: libspf2 DNS TXT Vulnerability
    libspf2 contains a buffer overflow vulnerability in code that parses DNS TXT records. An SPF record is a DNS Resource Record (RR) that declares which hosts are, and are not, authorized to use a domain name for the "HELO" and "MAIL FROM" identities. The risk is MEDIUM. This vulnerability could
  • T-020: Security Update for Adobe Reader 8 and Acrobat 8
    Critical vulnerabilities have been identified in Adobe Reader and Acrobat 8.1.2 and earlier versions. These vulnerabilities would cause the application to crash and could potentially allow an attacker to take control of the affected system. The risk is MEDIUM. A remote intruder who can get a user to open a
  • T-019: libxml2 Vulnerability
    It was discovered that libxml2, the GNOME XML library, didn't correctly handle long entity names. This could allow the execution of arbitrary code via a malicious XML file. The risk is MEDIUM. Coercing a user to open a specially crafted XML file, could allow an intruder to run arbitrary code with the permissions of
  • T-018: Vulnerability in Server Service
    A remote code execution vulnerability exists in the Server service on Windows systems. The vulnerability is due to the service not properly handling specially crafted RPC requests. The risk is HIGH. An attacker who successfully exploited this vulnerability could take complete control of an affected system.More...
  • T-017: Gear Software CD DVD Filter Vulnerability
    The Gear Software CD DVD Filter driver contains a privilege escalation vulnerability, which can allow an attacker to gain SYSTEM privileges. The risk is MEDIUM. An attacker may be able to execute code with SYSTEM privileges.More...
  • T-016: iseemedia / Roxio / MGI Software LPViewer ActiveX Vulnerabilities
    The iseemedia LPViewer ActiveX control contains multiple stack buffer overflows, which can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. The risk is MEDIUM. By cinvincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message or
  • T-015: InstallShield / Macrovision / Acresso FLEXnet Connect Vulnerabilities
    Acresso FLEXnet Connect executes scripts that are insecurely retrieved from a remote web server, which can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. The risk is MEDIUM. By modifying the rule script that is sent to a FLEXnet Connect client, a remote unauthenticated
  • T-002: Vulnerability in Host INtegration Server RPC Service
    A remote code execution vulnerability exists in the SNA Remote Procedure Call (RPC) service for Host Integration Server. An attacker could exploit the vulnerability by constructing a specially crafted RPC request. The risk is HIGH. The vulnerability could allow remote code execution. An attacker who successfully
  • T-003: Vulnerabilities in Microsoft Excel
    Several remote code execution vulnerabilities exist in the way Microsoft Excel: 1) processes a VBA Performance Cache; 2) an improper memory allocationwhenloading Excel objects; and 3) a formula parsing vulnerability when parsing Microsoft Excel documents containing a specially crafted formula embedded inside a cell. The
  • T-005: Vulnerability in Active Directory
    A remote code execution vulnerability exists inimplementations of Active Directory on Microsoft Windows 2000 Server. This could allow remote code execution. The risk is MEDIUM. The vulnerability is due to incorrect memory allocation when receiving specially crafted LDAP or LDAPS requests. An attacker who
  • T-007: Vulnerability in Windows Internet Printing Service
    A remote code execution vulnerability exists on Windows systems running IIS with the internet printing service enabled. This issue could allow a remote, authenticated attacker to execute arbitrary code on an affected system. The risk is MEDIUM. This issue could allow a remote, authenticated attacker to execute
  • S-227: Vulnerabilities in Microsoft Excel MS08-014
    Remote code vulnerabilities exist in the way Excel: 1) processes data validation records when loading Excel files into memory; 2) handles data when importing files into Excel; 3) Style record data when opening Excel files; 4) handles malformed formulas; 5) handles rich text values when loading application data into memory;