[ale] sudo, ldap, local user, SLOW!
krwatson at cc.gatech.edu
krwatson at cc.gatech.edu
Mon Sep 29 11:10:42 EDT 2008
James,
I talked to the guys in our shop that ran into this same problem.
You need the latest versions of sudo and nss and you need to be at RHEL 5 update 2. nss was broken in update 1.
They said you could do a yum remove nss-devil then do a yum update to get the latest nss.
keith
--
Keith R. Watson Georgia Institute of Technology
Systems Support Specialist IV College of Computing
keith.watson at cc.gatech.edu 801 Atlantic Drive NW
(404) 385-7401 Atlanta, GA 30332-0280
> -----Original Message-----
> From: ale-bounces at ale.org [mailto:ale-bounces at ale.org] On Behalf Of Jim
> Kinney
> Sent: Saturday, September 27, 2008 08:57
> To: ale at ale.org
> Subject: [ale] sudo, ldap, local user, SLOW!
>
> I have a strange problem that I'm not finding a solution to.
>
> Server (redhat 5 EL) uses ldap for user authentication and also has some
> local accounts that are not in ldap. nsswitch is set for files ldap for
> passwd.
> I can run "getent passwd | grep localuser" and it returns correct data in
> about .5 seconds. It does the same for an ldap account check.
>
> The fun begins when an ldap user tries to run "sudo su - localuser".
> (localuser is a process account like "oracle" and others) What the user
> sees is 2+ minutes of system hang then success. What I see when tailing
> logs is sudo trying to talk through ldap to get authentication. It shows
> no connection, failure to bind errors. It eventually times out and at that
> time the user sees the successful su change.
>
> sudoers file allows the ldap user to use su.
>
> I'm suspicious that something is not talking right with PAM for sudo. It
> _should_ be getting al its user credentialling through PAM. But the sudo
> module in PAM is calling system-auth which _has_ the proper local file,
> ldap stuff since that's how logins are handled.
>
> ?????ideas?????
>
> --
> --
> James P. Kinney III
>
More information about the Ale
mailing list