sudo-ldap fails authentication with pam_krb5.so
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
sudo (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
Binary package hint: sudo-ldap
Using sudo-ldap with pam_krb5.so always results in a failure, even if pam_krb5.so returns success.
A workaround for this need might be to set sudoOption field to !authenticate, (which will turn off auth)
The relevant information in /var/log/auth.log
Nov 25 15:01:05 ldap-client-test sudo: pam_krb5(
Nov 25 15:01:05 ldap-client-test sudo: pam_krb5(
Nov 25 15:01:10 ldap-client-test sudo: pam_krb5(
Nov 25 15:01:10 ldap-client-test sudo: pam_krb5(
When running sudo in debug mode:
andjon@
LDAP Config Summary
===================
uri ldap://
ldap_version 3
sudoers_base ou=clients,
binddn (anonymous)
bindpw (anonymous)
bind_timelimit 5000
timelimit 120
ssl (no)
use_sasl yes
sasl_auth_id (NONE)
rootuse_sasl -1
rootsasl_auth_id (NONE)
sasl_secprops (NONE)
krb5_ccname (NONE)
===================
sudo: ldap_initialize(ld, ldap://
sudo: ldap_set_option: debug -> 0
sudo: ldap_set_option: ldap_version -> 3
sudo: ldap_set_option: timelimit -> 120
sudo: ldap_set_
sudo: ldap_sasl_
sudo: no default options found!
sudo: ldap search '(|(sudoUser=
sudo: found:cn=
sudo: ldap sudoHost 'ALL' ... MATCH!
sudo: ldap sudoRunAsUser 'root' ... MATCH!
sudo: ldap sudoCommand 'ALL' ... MATCH!
sudo: Command allowed
sudo: user_matches=1
sudo: host_matches=1
sudo: sudo_ldap_
[sudo] password for andjon:
Sorry, try again.
/etc/sudo-ldap.conf
uri ldap://
rootbinddn uid=ro,
scope sub
timelimit 120
bind_timelimit 5
bind_policy soft
idle_timelimit 3600
nss_initgroups_
referrals no
TLS_REQCERT never
use_sasl on
pam_sasl_mech GSSAPI
GSSAPI_ENCRYPT on
GSSAPI_SIGN on
sudoers_debug 4
SUDOERS_BASE ou=clients,