Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 97249

Summary: app-admin/sudo-1.6.8_p9 breaks LDAP authentication
Product: Gentoo Linux Reporter: Christopher G. Stach II <cgs>
Component: Current packagesAssignee: Tavis Ormandy (RETIRED) <taviso>
Status: RESOLVED NEEDINFO    
Severity: normal CC: eva, lcars
Priority: High    
Version: unspecified   
Hardware: All   
OS: Other   
Whiteboard:
Package list:
Runtime testing required: ---

Description Christopher G. Stach II 2005-06-27 12:53:39 UTC 
It looked suspiciously like a previous PAM issue with pam_stack, so I tried replacing the original PAM config for sudo and it didn't help.  Downgrading back to 1.6.7_p5-r4 makes things work again.

Jun 27 14:40:52 xxx sudo(pam_unix)[21486]: check pass; user unknown
Jun 27 14:40:52 xxx sudo(pam_unix)[21486]: authentication failure; logname=XXX 
uid=0 euid=0 tty=pts/3 ruser= rhost=
Jun 27 14:40:52 xxx sudo[21486]: pam_ldap: ldap_simple_bind Can't contact LDAP 
server

Portage 2.0.51.19 (default-linux/x86/2005.0, gcc-3.3.5-20050130, glibc-2.3.4.200
41102-r1, 2.6.11-gentoo-r5 i686)                                                
=================================================================               
System uname: 2.6.11-gentoo-r5 i686 Intel(R) Pentium(R) III CPU family      1400
MHz                                                                             
Gentoo Base System version 1.6.12                                               
Python:              dev-lang/python-2.3.5 [2.3.5 (#1, Apr 29 2005, 21:16:46)]  
dev-lang/python:     2.3.5                                                      
sys-apps/sandbox:    [Not Present]                                              
sys-devel/autoconf:  2.59-r6, 2.13                                              
sys-devel/automake:  1.5, 1.8.5-r3, 1.7.9-r1, 1.6.3, 1.4_p6, 1.9.5              
sys-devel/binutils:  2.15.92.0.2-r10                                            
sys-devel/libtool:   1.5.16                                                     
virtual/os-headers:  2.6.8.1-r2                                                 
ACCEPT_KEYWORDS="x86"                                                           
AUTOCLEAN="yes"                                                                 
CFLAGS="-O3 -march=pentium3 -funroll-loops -fforce-addr -pipe"                  
CHOST="i686-pc-linux-gnu"                                                       
CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/lib/X1
1/xkb /usr/lib/mozilla/defaults/pref /usr/share/config /var/bind /var/qmail/cont
rol"                                                                            
CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d"                       
CXXFLAGS="-O3 -march=pentium3 -funroll-loops -fforce-addr -pipe"                
DISTDIR="/com/portage/distfiles"                                                
FEATURES="autoaddcvs autoconfig ccache distlocks fixpackages notitles sandbox sf
perms strict userpriv usersandbox"                                              
GENTOO_MIRRORS="http://gentoo.chem.wisc.edu/gentoo/ ftp://gentoo.chem.wisc.edu/g
entoo/ http://gentoo.netnitco.net ftp://gentoo.mirrors.tds.net/gentoo"          
MAKEOPTS="-j3"                                                                  
PKGDIR="/com/portage/packages"                                                  
PORTAGE_TMPDIR="/var/tmp"                                                       
PORTDIR="/usr/portage"                                                          
PORTDIR_OVERLAY="/com/portage/overlay"                                          
SYNC="rsync://xxx/gentoo-portage"                              
USE="x86 X Xaw3d aalib acl acpi aim alsa apache2 apm berkdb bitmap-fonts bzlib c
dr cjk cluster crypt cscope cups curl eds emboss encode esd ethereal exif fam fo
omaticdb fortran gd gdbm geometry gif gmp gnome gnutls gstreamer gtk gtk2 gtkhtm
l icq imagemagick imap imlib innodb ipv6 jabber java jce jikes jpeg junit kerber
os ldap libg++ libwww maildir mbox mime mmap mmx motif mozilla mp3 mpi msn mysql
 ncurses nls offensive opengl oscar pam pcre pdflib perl plotutils png python re
adline ruby samba sasl sharedmem snmp spell sse ssl tcltk tcpd tiff truetype tru
etype-fonts type1-fonts unicode usb utf8 xml2 xv yahoo zlib userland_GNU kernel_
linux elibc_glibc"                                                              
Unset:  ASFLAGS, CBUILD, CTARGET, LANG, LC_ALL, LDFLAGS, LINGUAS
Comment 1 Andrea Barisani (RETIRED) gentoo-dev 2005-06-28 00:12:39 UTC 
Please paste your /etc/pam.d/sudo and /etc/pam.d/system-auth. sudo-1.6.8_p9 works
fine here with pam_ldap with shipped /etc/pam.d/sudo.

Could you try emerging sudo without the ldap USE flag?
Comment 2 Christopher G. Stach II 2005-06-28 05:40:41 UTC 
I can't test the newer one until mmmaybe later tonight.  It's on a production 
machine.

The /etc/pam.d/sudo files are in the sudo FILESDIR.  They were not modified 
after the install.  The working one is files/sudo, the failing one files/sudo-
1.6.8_p8.

/etc/pam.d/system-auth:

#%PAM-1.0

auth       required     /lib/security/pam_env.so
auth       sufficient   /lib/security/pam_unix.so likeauth nullok
auth       sufficient   /lib/security/pam_ldap.so use_first_pass
auth       required     /lib/security/pam_deny.so

account    sufficient   /lib/security/pam_unix.so
#account    [default=bad success=ok user_unknown=ignore service_err=ignore 
system_err=ignore] /lib/security/pam_ldap.so
account    sufficient   /lib/security/pam_ldap.so
account    required     /lib/security/pam_deny.so

password   required     /lib/security/pam_cracklib.so retry=3
password   sufficient   /lib/security/pam_unix.so nullok use_authtok md5 shadow
password   sufficient   /lib/security/pam_ldap.so use_authtok
password   required     /lib/security/pam_deny.so

session    required     /lib/security/pam_limits.so
session    required     /lib/security/pam_unix.so
session    required     /lib/security/pam_mkhomedir.so skel=/etc/skel/ umask=0
session    optional     /lib/security/pam_ldap.so
Comment 3 Andrea Barisani (RETIRED) gentoo-dev 2005-06-28 05:42:47 UTC 
pam_ldap: ldap_simple_bind Can't contact LDAP 
server

pam_ldap takes its configuration from /etc/ldap.conf, if pam fails every pam_ldap
app should fail so this doesn't look like a sudo specific issue.

Is passwd working? Are you using ldap for exporting accounts?

Can you test other pam_ldap aware applications?
Comment 4 Christopher G. Stach II 2005-06-28 07:26:33 UTC 
Everything else that is in regular use works properly.  As far as I can tell, 
sudo is the only program affected.  pam_ldap works, else I wouldn't have 
reported this bug.  It also works with the older sudo.  I suppose it's somehow 
magical...
Comment 5 Andrea Barisani (RETIRED) gentoo-dev 2005-06-28 07:32:25 UTC 
Does new sudo works with old sudo pam.d file?
Comment 6 Christopher G. Stach II 2005-06-28 07:36:15 UTC 
I copied the files/sudo config right after it broke to test if that was the 
problem.  It did not seem to help.  I didn't try the sample.pam from the newer 
tar, however.  I will try both again when I get a chance to test.
Comment 7 Andrea Barisani (RETIRED) gentoo-dev 2005-07-05 09:57:01 UTC 
Any further tests about this?
Comment 8 Tavis Ormandy (RETIRED) gentoo-dev 2005-07-10 02:13:16 UTC 
Andrea: Think this is a WFM?

Reporter: Some more information would be helpful, we cant see what could be 
going wrong.
Comment 9 Andrea Barisani (RETIRED) gentoo-dev 2005-07-15 01:51:31 UTC 
Closing as NEEDINFO.