AIX Open Source

AIX Open Source

Share your experiences and connect with fellow developers to discover how to build and manage open source software for the AIX operating system

 View Only

  • 1.  sudo, users from LDAP with local groups

    Posted Fri October 28, 2022 09:19 AM
    Hi,

    AIX configuration - users come from LDAP server, but have local groups too. The file /etc/secvars.cfg has the parameter:

    groups:
  domainlessgroups = true​


    If sudoers is configured with LDAP groups, everything works as designed:

    %LDAPGRP ALL=(ALL) NOPASSWD: somecommand


    If sudoers is configure with local groups, LDAP users, even if they are in the local groups, can't execute commands:

    %LOCALGRP ALL=(ALL) NOPASSWD: somecommand
    # sudo -l -U ldapusr
User ldapusr is not allowed to run sudo on server.
# id ldapusr
uid=64684(ldapusr) gid=100(usr) groups=40034(LDAPGRP),600(LOCALGRP)


    I could follow the problem till sudo_getgrgid:

    Oct 28 14:18:42 sudo[30802188] sudo_getgrgid: gid 600 [LDAP] -> group unknown [LDAP] (cached)


    sudo finds that the user is defined through LDAP and tries to find LOCALGRP in LDAP. It definitely fails, because it is a local group.




    ------------------------------
    Andrey Klyachkin

    https://www.power-devops.com
    ------------------------------


  • 2.  RE: sudo, users from LDAP with local groups

    Posted Fri October 28, 2022 10:10 AM
    Please check you have "sudoers=compat,ldap" in /etc/netsvc.conf.

    ------------------------------
    Ayappan P
    ------------------------------

    Original Message


  • 3.  RE: sudo, users from LDAP with local groups

    Posted Mon October 31, 2022 09:37 AM
    Hi Ayappan,

    I added the line into /etc/netsvc.conf, but it didn't help unfortunately.

    ------------------------------
    Andrey Klyachkin

    https://www.power-devops.com
    ------------------------------

    Original Message


  • 4.  RE: sudo, users from LDAP with local groups

    Posted Wed November 02, 2022 10:29 AM
    Now I looked a little bit deeper into sudo source code. It gets user's registry using getuserattr() and then calls to setauthdb() to set the authentication database. To check a group, it calls later to getgrgid(), which should return group information.

    The problem can be seen using the following C code:
    #include <usersec.h>
#include <grp.h>
#include <stdio.h>

int main() {
  int rc;
  struct group *gr;

  rc = setauthdb("LDAP", NULL);
  if (rc != 0) {
    printf("setauthdb RC = %d\n", rc);
    return 1;
  }
  gr = getgrid(600); // hard-coded GID of the group we're searching for
  if (gr == NULL) {
    printf("Group ID 600 is not found\n");
    return 1;
  }
  printf("Group name = %s, group id = %d\n", gr->gr_name, gr->gr_gid);
  return 0;
}​


    If setauthdb("LDAP", NULL) is called, the local group can't be found, even if domainlessgroups = true.
    If setauthdb("LDAP", NULL) is not called, both groups from LDAP and files are found.

    I am not sure if it is AIX or sudo problem. AIX getgrgid() doesn't say anything about setauthdb(). Quite the opposite:

    Note: If the domainlessgroups attribute is set in the /etc/secvars.cfg file, the getgrnam or getgrgid subroutine gets group information from the Lightweight Directory Access Protocol (LDAP) and files domains, if the group name or group ID belongs to any one of these domains.


    ------------------------------
    Andrey Klyachkin

    https://www.power-devops.com
    ------------------------------

    Original Message