It looked suspiciously like a previous PAM issue with pam_stack, so I tried replacing the original PAM config for sudo and it didn't help. Downgrading back to 1.6.7_p5-r4 makes things work again. Jun 27 14:40:52 xxx sudo(pam_unix)[21486]: check pass; user unknown Jun 27 14:40:52 xxx sudo(pam_unix)[21486]: authentication failure; logname=XXX uid=0 euid=0 tty=pts/3 ruser= rhost= Jun 27 14:40:52 xxx sudo[21486]: pam_ldap: ldap_simple_bind Can't contact LDAP server Portage 2.0.51.19 (default-linux/x86/2005.0, gcc-3.3.5-20050130, glibc-2.3.4.200 41102-r1, 2.6.11-gentoo-r5 i686) ================================================================= System uname: 2.6.11-gentoo-r5 i686 Intel(R) Pentium(R) III CPU family 1400 MHz Gentoo Base System version 1.6.12 Python: dev-lang/python-2.3.5 [2.3.5 (#1, Apr 29 2005, 21:16:46)] dev-lang/python: 2.3.5 sys-apps/sandbox: [Not Present] sys-devel/autoconf: 2.59-r6, 2.13 sys-devel/automake: 1.5, 1.8.5-r3, 1.7.9-r1, 1.6.3, 1.4_p6, 1.9.5 sys-devel/binutils: 2.15.92.0.2-r10 sys-devel/libtool: 1.5.16 virtual/os-headers: 2.6.8.1-r2 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CFLAGS="-O3 -march=pentium3 -funroll-loops -fforce-addr -pipe" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/lib/X1 1/xkb /usr/lib/mozilla/defaults/pref /usr/share/config /var/bind /var/qmail/cont rol" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-O3 -march=pentium3 -funroll-loops -fforce-addr -pipe" DISTDIR="/com/portage/distfiles" FEATURES="autoaddcvs autoconfig ccache distlocks fixpackages notitles sandbox sf perms strict userpriv usersandbox" GENTOO_MIRRORS="http://gentoo.chem.wisc.edu/gentoo/ ftp://gentoo.chem.wisc.edu/g entoo/ http://gentoo.netnitco.net ftp://gentoo.mirrors.tds.net/gentoo" MAKEOPTS="-j3" PKGDIR="/com/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/com/portage/overlay" SYNC="rsync://xxx/gentoo-portage" USE="x86 X Xaw3d aalib acl acpi aim alsa apache2 apm berkdb bitmap-fonts bzlib c dr cjk cluster crypt cscope cups curl eds emboss encode esd ethereal exif fam fo omaticdb fortran gd gdbm geometry gif gmp gnome gnutls gstreamer gtk gtk2 gtkhtm l icq imagemagick imap imlib innodb ipv6 jabber java jce jikes jpeg junit kerber os ldap libg++ libwww maildir mbox mime mmap mmx motif mozilla mp3 mpi msn mysql ncurses nls offensive opengl oscar pam pcre pdflib perl plotutils png python re adline ruby samba sasl sharedmem snmp spell sse ssl tcltk tcpd tiff truetype tru etype-fonts type1-fonts unicode usb utf8 xml2 xv yahoo zlib userland_GNU kernel_ linux elibc_glibc" Unset: ASFLAGS, CBUILD, CTARGET, LANG, LC_ALL, LDFLAGS, LINGUAS
Please paste your /etc/pam.d/sudo and /etc/pam.d/system-auth. sudo-1.6.8_p9 works fine here with pam_ldap with shipped /etc/pam.d/sudo. Could you try emerging sudo without the ldap USE flag?
I can't test the newer one until mmmaybe later tonight. It's on a production machine. The /etc/pam.d/sudo files are in the sudo FILESDIR. They were not modified after the install. The working one is files/sudo, the failing one files/sudo- 1.6.8_p8. /etc/pam.d/system-auth: #%PAM-1.0 auth required /lib/security/pam_env.so auth sufficient /lib/security/pam_unix.so likeauth nullok auth sufficient /lib/security/pam_ldap.so use_first_pass auth required /lib/security/pam_deny.so account sufficient /lib/security/pam_unix.so #account [default=bad success=ok user_unknown=ignore service_err=ignore system_err=ignore] /lib/security/pam_ldap.so account sufficient /lib/security/pam_ldap.so account required /lib/security/pam_deny.so password required /lib/security/pam_cracklib.so retry=3 password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow password sufficient /lib/security/pam_ldap.so use_authtok password required /lib/security/pam_deny.so session required /lib/security/pam_limits.so session required /lib/security/pam_unix.so session required /lib/security/pam_mkhomedir.so skel=/etc/skel/ umask=0 session optional /lib/security/pam_ldap.so
pam_ldap: ldap_simple_bind Can't contact LDAP server pam_ldap takes its configuration from /etc/ldap.conf, if pam fails every pam_ldap app should fail so this doesn't look like a sudo specific issue. Is passwd working? Are you using ldap for exporting accounts? Can you test other pam_ldap aware applications?
Everything else that is in regular use works properly. As far as I can tell, sudo is the only program affected. pam_ldap works, else I wouldn't have reported this bug. It also works with the older sudo. I suppose it's somehow magical...
Does new sudo works with old sudo pam.d file?
I copied the files/sudo config right after it broke to test if that was the problem. It did not seem to help. I didn't try the sample.pam from the newer tar, however. I will try both again when I get a chance to test.
Any further tests about this?
Andrea: Think this is a WFM? Reporter: Some more information would be helpful, we cant see what could be going wrong.
Closing as NEEDINFO.