AIX Open Source

AIX Open Source

Share your experiences and connect with fellow developers to discover how to build and manage open source software for the AIX operating system

 View Only
Back to discussions
Expand all | Collapse all

SUDO ( sudo-1.9.5p2-1.ppc) not working correctly

  • 1.  SUDO ( sudo-1.9.5p2-1.ppc) not working correctly

    Posted Thu November 11, 2021 10:40 AM

    We can login to our AIX-servers with an useraccount.
    This useraccount will be checked on a IPA-server (RedHat IDM).
    After login i receive the login prompt and try to use sudo to become root with sudo su - and I receive the following messages:
    /home/embeek# sudo su -
    embeek's Password:
    embeek is not allowed to run sudo on SAWELZ002. This incident will be reported.

    suddenly this is not working anymore.

    same when i check this as root :
    SAWELZ002[ACC]:/var/log# sudo -lU embeek
    User embeek is not allowed to run sudo on SAWELZ002.

    The authentication is granted by the IPA-server (RedHat IDM)

    We registered a case at RedHat (Red Hat Case 03069612) but they can't find anything on the IPA-server..
    The only thing they see in the logs is the authentication for the login but no requests for sudo.
    RedHat suggested to create a case at IBM, but IBM support closed case (TS007504003) with:

    Since only sudo is failing, and sudo is not supported by AIX support, customer will need to use the AIX open source forum for assistance with sudo. 

    native AIX login with su - (from root) is working for this LDAP user, so they stated:

    If LDAP auth works for native AIX programs like su/telnet/ssh, then secldapclntd is working fine.

    Customer needs to show that the issue is not specific to sudo.

    Any idea how to solve this issue?

    Regards,

    Emiel








         ​​



    ------------------------------
    Emiel van ter Beek
    ------------------------------


  • 2.  RE: SUDO ( sudo-1.9.5p2-1.ppc) not working correctly

    Posted Fri November 12, 2021 04:01 AM
    Hi Emiel,

    Was this same version working before or it is the first time you are trying this sudo ?
    And any previous version of sudo was working fine ?

    To start with, you can create /etc/sudo.conf file with the below entries.

    Debug sudo /var/log/sudo_debug.log all@debug
    Debug sudoers.so /var/log/sudo_debug.log all@debug

    This might give some hints.

    ------------------------------
    SANGAMESH
    ------------------------------

    Original Message


  • 3.  RE: SUDO ( sudo-1.9.5p2-1.ppc) not working correctly

    Posted Fri November 12, 2021 04:26 AM

    Hi Sangamesh,

    This version of sudo did work before.

    Already enabled the debugging for sudo and see this:

    Nov 12 09:42:36 sudo[6422860] <- sudo_ldap_build_pass1 @ ./ldap.c:1079 := (&(objectClass=sudoRole)(|(sudoUser=embeek)(sudoUser=#869000040)(sudoUser=%embeek)(sudoUser=%#869000040)(sudoUser=%iaas-specials-ge
    neric-aix-access-all)(sudoUser=%titan-hbac-admin)(sudoUser=%titan-computer-admin)(sudoUser=%titan-sudoer-admin)(sudoUser=%titan-group-admin)(sudoUser=%titan-account-admin)(sudoUser=%titan-dns-admin)(sudoUs
    er=%#869000035)(sudoUser=%#869000024)(sudoUser=%#869000023)(sudoUser=%#869000022)(sudoUser=%#869000020)(sudoUser=%#869000019)(sudoUser=%#869000017)(sudoUser=ALL)))
    Nov 12 09:42:36 sudo[6422860] ldap search '(&(objectClass=sudoRole)(|(sudoUser=embeek)(sudoUser=#869000040)(sudoUser=%embeek)(sudoUser=%#869000040)(sudoUser=%iaas-specials-generic-aix-access-all)(sudoUser=
    %titan-hbac-admin)(sudoUser=%titan-computer-admin)(sudoUser=%titan-sudoer-admin)(sudoUser=%titan-group-admin)(sudoUser=%titan-account-admin)(sudoUser=%titan-dns-admin)(sudoUser=%#869000035)(sudoUser=%#8690
    00024)(sudoUser=%#869000023)(sudoUser=%#869000022)(sudoUser=%#869000020)(sudoUser=%#869000019)(sudoUser=%#869000017)(sudoUser=ALL)))'
    Nov 12 09:42:36 sudo[6422860] searching from base 'ou=sudoers,dc=titan,dc=kpn,dc=org'
    Nov 12 09:42:36 sudo[6422860] ldap search pass 1 failed: Inappropriate authentication
    Nov 12 09:42:36 sudo[6422860] -> sudo_ldap_build_pass2 @ ./ldap.c:1108
    Nov 12 09:42:36 sudo[6422860] <- sudo_ldap_build_pass2 @ ./ldap.c:1145 := (&(objectClass=sudoRole)(sudoUser=*)(sudoUser=+*))
    Nov 12 09:42:36 sudo[6422860] ldap search '(&(objectClass=sudoRole)(sudoUser=*)(sudoUser=+*))'
    Nov 12 09:42:36 sudo[6422860] searching from base 'ou=sudoers,dc=titan,dc=kpn,dc=org'
    Nov 12 09:42:36 sudo[6422860] ldap search pass 2 failed: Inappropriate authentication

    Any idea?

    I don't want to upload a complete debug logfile for security reasons.

    Regards,

    Emiel 



    ------------------------------
    Emiel van ter Beek
    ------------------------------

    Original Message


  • 4.  RE: SUDO ( sudo-1.9.5p2-1.ppc) not working correctly

    Posted Mon November 15, 2021 06:35 AM
    Hi Sangamesh,

    any ideas?

    did some other test which results in same error message:
    # /opt/freeware/bin/ldapsearch -h ********.*****.kpn.org -x -b "ou=SUDOers,dc=*****,dc=***,dc=org"
    # extended LDIF
    #
    # LDAPv3
    # base <ou=SUDOers,dc=*****,dc=***,dc=org> with scope subtree
    # filter: (objectclass=*)
    # requesting: ALL
    #

    # search result
    search: 2
    result: 48 Inappropriate authentication
    text: Anonymous access is not allowed.

    # numResponses: 1

    ------------------------------
    Emiel van ter Beek
    ------------------------------

    Original Message


  • 5.  RE: SUDO ( sudo-1.9.5p2-1.ppc) not working correctly

    Posted Mon November 15, 2021 09:21 AM
    Hi Emiel,

    Not sure about the exact issue.
    You mentioned that this version worked before.
    Was their any change in the version of openldap or some dependencies ?
    Do we also need to provide a password to have ldapserch work ?
    Also please enable the LDAP debugging to see if we get more idea.



    ------------------------------
    SANGAMESH
    ------------------------------

    Original Message


  • 6.  RE: SUDO ( sudo-1.9.5p2-1.ppc) not working correctly

    Posted Wed November 17, 2021 04:13 AM
    Hi Sangamesh,


    Their were no version changes of openldap or other dependencies....
    on LDAPSEARCH we normally need a password to get response (-D and -w)

    ------------------------------
    Emiel van ter Beek
    ------------------------------

    Original Message


  • 7.  RE: SUDO ( sudo-1.9.5p2-1.ppc) not working correctly

    Posted Wed November 17, 2021 05:35 AM

    Hi Sangamesh,

    I was able to fix it by adding rootbinddn to the /etc/ldap.conf and putting the pw in /etc/ldap.secret and restarting the ldap client daemon with:
    restart-secldapclntd

    I think something was changed on IPA (LDAP) server side....

    we have to check this with the server admin



    ------------------------------
    Emiel van ter Beek
    ------------------------------

    Original Message


  • 8.  RE: SUDO ( sudo-1.9.5p2-1.ppc) not working correctly

    Posted Thu November 18, 2021 02:40 AM
    Hi Sangamesh,

    On the IPA (LDAP) server they did some hardening and as a result the Anonymous Authentication was disabled.

    Solution is to add rootbinddn or bindnd + bindpw to the /etc/ldap.conf which is used by sudo only.

    Regards.

    ------------------------------
    Emiel van ter Beek
    ------------------------------

    Original Message


  • 9.  RE: SUDO ( sudo-1.9.5p2-1.ppc) not working correctly

    Posted Thu November 18, 2021 03:49 AM
    Hi Emiel,

    Thanks for the update.
    It would be helpful for future reference.

    ------------------------------
    SANGAMESH
    ------------------------------

    Original Message


  • 10.  RE: SUDO ( sudo-1.9.5p2-1.ppc) not working correctly

    Posted Thu November 18, 2021 04:10 AM

    Also note following:

    Sudo is using its own ldap configuration (/etc/ldap.conf) to bind to the ldap server, it doesn't bind through secldapclntd.

     Restarting secldapclntd is irrelevant as it does not read the /etc/ldap.conf nor /etc/ldap.secret.



    ------------------------------
    Emiel van ter Beek
    ------------------------------

    Original Message


  • 11.  RE: SUDO ( sudo-1.9.5p2-1.ppc) not working correctly

    Posted Thu November 18, 2021 05:17 AM

    Hi Emiel,

     

    Again that's because you installed sudo_ldap. Sudo_ids uses secldapclntd.....

     

     

    KR,LG

    Jürgen

     

     

     




    Original Message


  • 12.  RE: SUDO ( sudo-1.9.5p2-1.ppc) not working correctly

    Posted Thu November 18, 2021 06:10 AM
    Hi juergen,

    Thanks, i know, but when we did the configs for the using of the IPA (ldap) server we followed the documentation that was provided by our FreeIPA server admins.

    SUDO Integration for AIX - FreeIPA

    we won't change to sudo_ids for now ;-)

    regards

    ------------------------------
    Emiel van ter Beek
    ------------------------------

    Original Message


  • 13.  RE: SUDO ( sudo-1.9.5p2-1.ppc) not working correctly

    Posted Thu November 18, 2021 06:25 AM

    Hi Emiel,

     

    As we're working in banking, the pwd inside the conf is diagnosed to be evil .....

    Secldap is accepted in pci-environment, as it is crypting the pwd's inside the key-database.

     

    Glad to see, that you found the error.

     

     

    KR,LG

    Jürgen

     

     

     

     




    Original Message


  • 14.  RE: SUDO ( sudo-1.9.5p2-1.ppc) not working correctly

    Posted Tue November 16, 2021 06:36 AM
    Edited by Juergen Maehlmann Tue November 16, 2021 06:37 AM
    Hi,

    probably you're mixing openldap with ibm-ldap.

    a) Try
       ls-secldapclntd
    if you get a vaild output, you're using ibm-ldap.
    then the command should be something like: /opt/IBM/ldap/V6.4/bin/ldapsearch -h privport://your ldap-server ...... objectclass=posixaccount
    If TLS1.2 is required by your LDAP-Server, you have to export first:
    export LDAP_OPT_SECURITY_PROTOCOL=TLS12
    export LDAP_OPT_JAVA_SECURITY_PROTOCOL=TLSv1.2

    Possibly on top you will have to export CIPHERS like:
    export LDAP_OPT_SSL_CIPHER_EX=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

    b) the error is evidence itself: "text: Anonymous access is not allowed."

    you have to use additional parameters for authorization like:

        ldapsearch -LLLZZx





    ------------------------------
    Juergen Maehlmann
    ------------------------------

    Original Message


  • 15.  RE: SUDO ( sudo-1.9.5p2-1.ppc) not working correctly

    Posted Wed November 17, 2021 04:10 AM

    Hi Juergen,

    ls-secldapclntd gives valid output in response :-)

    SUCENT61:/# ll /usr/bin/ldapsearch
    0 lrwxrwxrwx 1 root system 33 Nov 15 14:49 /usr/bin/ldapsearch -> /opt/IBM/ldap/V6.4/bin/ldapsearch

    ldapsearch with -D  + -w and: "(&(objectclass=sudoRole)(sudoCommand=ALL))" 

    returns all the SudoRoles from the IPA (LDAP) -server




    ------------------------------
    Emiel van ter Beek
    ------------------------------

    Original Message


  • 16.  RE: SUDO ( sudo-1.9.5p2-1.ppc) not working correctly

    Posted Fri November 12, 2021 09:35 AM
    I had an issue with sudo/ldap that I had to switch to the group name in Microsoft AD and not the local group name.   Both groups had the same GID.   You might want to try and open the ticket under and LDAP issue with IBM.  They were the ones that reviewed my issue.

    Vinny

    ------------------------------
    Vincenzo Giambalvo
    ------------------------------

    Original Message


  • 17.  RE: SUDO ( sudo-1.9.5p2-1.ppc) not working correctly

    Posted Fri November 12, 2021 10:03 AM

    Hi Vinny,

    I did register a case at IBM Support already, but they said i had to use this forum for support.
    Their reaction on above messages:

    Those are sudo specific error messages.

    secldapclntd doesn't have an "inappropriate authentication" error in its code.

    You will either need to provide code samples showing that it is an AIX issue.

    Or recreate similar problem with a supported AIX command or application.



    ------------------------------
    Emiel van ter Beek
    ------------------------------

    Original Message