From owner-freebsd-questions@FreeBSD.ORG Fri Nov 7 19:58:47 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 16DE4106567D for ; Fri, 7 Nov 2008 19:58:47 +0000 (UTC) (envelope-from darek@nyi.net) Received: from m.nyi.net (m.nyi.net [66.111.12.250]) by mx1.freebsd.org (Postfix) with SMTP id AB9CF8FC13 for ; Fri, 7 Nov 2008 19:58:46 +0000 (UTC) (envelope-from darek@nyi.net) Received: (qmail 90335 invoked by uid 79); 7 Nov 2008 19:32:03 -0000 Received: from unknown (HELO ?10.50.50.200?) (darek@nyi.net@64.147.100.2) by 0 with SMTP; 7 Nov 2008 19:32:03 -0000 Message-ID: <491497B1.80507@nyi.net> Date: Fri, 07 Nov 2008 14:32:01 -0500 From: "Darek M." User-Agent: Thunderbird 2.0.0.17 (Windows/20080914) MIME-Version: 1.0 To: freebsd-questions@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: sudo, LDAP, and Kerberos X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Nov 2008 19:58:47 -0000 I'm setting up a centralized Kerberos/LDAP authentication system and trying to get sudo to use a) Kerberos for the password, and b) LDAP for a non-local user's group. Locally on a client system "/etc/sudoers" specifies %sysadmin to be able to sudo to root. I don't need to move "sudoers" to LDAP just yet. I've had success on some machines compiling sudo from source with --enable-kerb5 and --enable-ldap. But on many other systems sudo segfaults, or returns bus errors, and overall gave me nothing but grief. So I'm looking for alternate ways of supplying sudo with a user's group. Is it possible to compile sudo (without kerberos and ldap support) and configure a pam.d file (/etc/pam.d/sudo) to interact with kerberos and LDAP? I created a sudo file with auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local auth sufficient pam_krb5.so warn try_first_pass ... and running sudo (compiled with only a ./configure, no other options) as a non-local user I successfully authenticate, but then sudo has no idea of the group this user belongs to and says "not in the sudoers file". Is it possible to use PAM as a go-between for sudo and the remote LDAP system to provide sudo with the user's group info? How has everyone else set up a central auth system? Seems to me sudo's configure script has some flaws and I don't want to rely on it. Maybe there's a better way, but aside from sudo acting up, the above would be a fine set up for me. Any pointers appreciated. - Darek