sudo-ldap fails authentication with pam_krb5.so

Bug #681404 reported by Andreas Jonsson
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
sudo (Ubuntu)
New
Undecided
Unassigned

Bug Description

Binary package hint: sudo-ldap

Using sudo-ldap with pam_krb5.so always results in a failure, even if pam_krb5.so returns success.
A workaround for this need might be to set sudoOption field to !authenticate, (which will turn off auth)

The relevant information in /var/log/auth.log
Nov 25 15:01:05 ldap-client-test sudo: pam_krb5(sudo:auth): pam_sm_authenticate: entry (0x8000)
Nov 25 15:01:05 ldap-client-test sudo: pam_krb5(sudo:auth): (user andjon) attempting authentication as <email address hidden>
Nov 25 15:01:10 ldap-client-test sudo: pam_krb5(sudo:auth): user andjon authenticated as <email address hidden>
Nov 25 15:01:10 ldap-client-test sudo: pam_krb5(sudo:auth): pam_sm_authenticate: exit (success)

When running sudo in debug mode:

andjon@ldap-client-test:~$ sudo /bin/ls
LDAP Config Summary
===================
uri ldap://ldap.inv.intrealm.com
ldap_version 3
sudoers_base ou=clients,ou=sudoers,dc=intrealm,dc=com
binddn (anonymous)
bindpw (anonymous)
bind_timelimit 5000
timelimit 120
ssl (no)
use_sasl yes
sasl_auth_id (NONE)
rootuse_sasl -1
rootsasl_auth_id (NONE)
sasl_secprops (NONE)
krb5_ccname (NONE)
===================
sudo: ldap_initialize(ld, ldap://ldap.inv.intrealm.com)
sudo: ldap_set_option: debug -> 0
sudo: ldap_set_option: ldap_version -> 3
sudo: ldap_set_option: timelimit -> 120
sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 5)

sudo: ldap_sasl_interactive_bind_s() ok
sudo: no default options found!
sudo: ldap search '(|(sudoUser=andjon)(sudoUser=%unix)(sudoUser=ALL))'
sudo: found:cn=root,ou=clients,ou=sudoers,dc=intrealm,dc=com
sudo: ldap sudoHost 'ALL' ... MATCH!
sudo: ldap sudoRunAsUser 'root' ... MATCH!
sudo: ldap sudoCommand 'ALL' ... MATCH!
sudo: Command allowed
sudo: user_matches=1
sudo: host_matches=1
sudo: sudo_ldap_lookup(0)=0x02
[sudo] password for andjon:
Sorry, try again.

/etc/sudo-ldap.conf
uri ldap://ldap.inv.intrealm.com
rootbinddn uid=ro,dc=intrealm,dc=com
scope sub
timelimit 120
bind_timelimit 5
bind_policy soft
idle_timelimit 3600
nss_initgroups_ignoreusers apache,avahi,avahi-autoipd,backup,bin,couchdb,daemon,games,gdm,gnats,gsfish,haldaemon,hplip,htdocs,irc,kernoops,ldap,libuuid,list,lp,mail,man,messagebus,nagios,named,news,proxy,pulse,puppet,root,rtkit,saned,speech-dispatcher,splunk,sync,sys,syslog,tomcat,usbmux,uucp,weblogic,www-data
referrals no
TLS_REQCERT never
use_sasl on
pam_sasl_mech GSSAPI
GSSAPI_ENCRYPT on
GSSAPI_SIGN on
sudoers_debug 4
SUDOERS_BASE ou=clients,ou=sudoers,dc=intrealm,dc=com

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.