[CentOS] sudo (+ldap+kerberos) not accepting password

Mon Jan 20 07:49:11 UTC 2014
Mauricio Tavares <raubvogel at gmail.com>

On Sun, Jan 19, 2014 at 6:12 PM, Mauricio Tavares <raubvogel at gmail.com> wrote:
> So I have this centos 5.10 box which authenticates network users
> against ldap(authorizing)+kerberos(authentication). And I now would
> like to have sudo be able to allow admins (netgroup chinbeards) to
> sudo about. I am not using sssd though (yet).
>
> Here is the output of me trying sudo (debug on):
>
> [raub at centos5-x64 ~]$ sudo pwd
> LDAP Config Summary
> ===================
> uri              ldap://idir1.internal.domain.com/
> ldap://idir2.internal.domain.com/
> ldap_version     3
> sudoers_base     ou=SUDOers,dc=domain,dc=com
> binddn           (anonymous)
> bindpw           (anonymous)
> bind_timelimit   120000
> timelimit        120
> ssl              start_tls
> tls_cacertdir    /etc/openldap/cacerts
> ===================
> sudo: ldap_initialize(ld, ldap://idir1.internal.domain.com/
> ldap://idir2.internal.domain.com/)
> sudo: ldap_set_option: debug -> 0
> sudo: ldap_set_option: ldap_version -> 3
> sudo: ldap_set_option: tls_cacertdir -> /etc/openldap/cacerts
> sudo: ldap_set_option: timelimit -> 120
> sudo: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT, 120)
>
> sudo: ldap_start_tls_s() ok
> sudo: ldap_sasl_bind_s() ok
> sudo: found:cn=defaults,ou=SUDOers,dc=domain,dc=com
> sudo: ldap sudoOption: 'env_keep+=SSH_AGENT_PID'
> sudo: ldap sudoOption: 'env_keep+=SSH_AUTH_SOCK'
> sudo: ldap sudoOption: 'env_keep+=SVN_SSH'
> sudo: ldap sudoOption: 'env_reset'
> sudo: ldap sudoOption: 'ignore_local_sudoers'
> sudo: ldap search
> '(|(sudoUser=raub)(sudoUser=%raub)(sudoUser=%chinbeards)(sudoUser=ALL))'
> sudo: ldap search 'sudoUser=+*'
> sudo: found:cn=defaults,ou=SUDOers,dc=domain,dc=com
> sudo: ldap sudoUser netgroup '+chinbeards' ... MATCH!
> sudo: ldap sudoHost 'ALL' ... MATCH!
> sudo: ldap sudoCommand 'ALL' ... MATCH!
> sudo: Command allowed
> sudo: ldap sudoOption: 'env_keep+=SSH_AGENT_PID'
> sudo: ldap sudoOption: 'env_keep+=SSH_AUTH_SOCK'
> sudo: ldap sudoOption: 'env_keep+=SVN_SSH'
> sudo: ldap sudoOption: 'env_reset'
> sudo: ldap sudoOption: 'ignore_local_sudoers'
> sudo: user_matches=1
> sudo: host_matches=1
> sudo: sudo_ldap_lookup(0)=0x02
> [sudo] password for raub:
>
> It seems to me that it had no issues finding that I belong to the
> netgroup chinbeards (allowed to sudo), and realizing I can do a
> command. So, to me the sudo+ldap part of the transaction
> (authorization, kinda of what is mentioned in
> http://www.sudo.ws/sudoers.ldap.man.html and
> http://www.gratisoft.us/sudo/readme_ldap.html) seem to be fine.
>
> But, in the next step -- it asks for password -- is when things get
> interesting. At this point I would expect it to pass that to pam,
> which would then autenticate me with kerberos (I wonder if it would
> work by checking if I have a valid kerberos ticket. That is what
> happens when I, say, do ldapsearch. but I digress). But, according to
> /var/log/secure,
>
> Jan 17 10:07:13 centos5-x64 sudo: pam_unix(sudo:auth): authentication
> failure; logname=raub uid=0 euid=0 tty=/dev/pts/0 ruser= rhost=
> user=raub
>
> It seems to have failed to authenticate me. Would it be due to pam not
> knowing about kerberos?
>
> Reading http://www.centos.org/docs/5/html/5.2/Deployment_Guide/s1-kerberos-pam.html,
> should I be able to get pam_krb5 in, say, /etc/pam.d/system-auth like
> this:
>
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth        required      pam_env.so
> auth        sufficient    pam_unix.so nullok try_first_pass
> auth        requisite     pam_succeed_if.so uid >= 500 quiet
> auth        sufficient    pam_krb5.so use_first_pass
> auth        required      pam_deny.so
>
> account     required      pam_unix.so
> account     sufficient    pam_succeed_if.so uid < 500 quiet
> account     [default=bad success=ok user_unknown=ignore] pam_krb5.so
> account     required      pam_permit.so
>
> password    requisite     pam_cracklib.so try_first_pass retry=3
> password    sufficient    pam_unix.so sha512 shadow nullok
> try_first_pass use_authtok
> password    sufficient    pam_krb5.so use_authtok
> password    required      pam_deny.so
>
> session     optional      pam_keyinit.so revoke
> session     required      pam_limits.so
> session     optional      pam_mkhomedir.so
> session     [success=1 default=ignore] pam_succeed_if.so service in
> crond quiet use_uid
> session     required      pam_unix.so
> session     optional      pam_krb5.so

      Ok, I am not saying what I wrote above is proper, but the auth
entry is enough to satisfy sudo. But, how now I tell authconfig to
edit the file properly? The way I did it was

authconfig --enableldap --enableldaptls
--ldapserver=idir1.internal.domain.com,idir2.internal.domain.com
--ldapbasedn=dc=domain,dc=com --enablekrb5 --passalgo=sha512
--disablemd5 --update

but that does not seem to add the line to /etc/pam.d/system-auth to
tell it that kerberos is in the house.