[ale] sudo, ldap, local user, SLOW!
Jim Kinney
jim.kinney at gmail.com
Mon Sep 29 13:14:58 EDT 2008
I think we are on update 1. It is just broken.
What was the old saying about RedHat .0 and .1 releases... :-)
On Mon, Sep 29, 2008 at 11:10 AM, <krwatson at cc.gatech.edu> wrote:
> James,
>
> I talked to the guys in our shop that ran into this same problem.
>
> You need the latest versions of sudo and nss and you need to be at RHEL 5
> update 2. nss was broken in update 1.
>
> They said you could do a yum remove nss-devil then do a yum update to get
> the latest nss.
>
> keith
>
> --
>
> Keith R. Watson Georgia Institute of Technology
> Systems Support Specialist IV College of Computing
> keith.watson at cc.gatech.edu 801 Atlantic Drive NW
> (404) 385-7401 Atlanta, GA 30332-0280
>
> > -----Original Message-----
> > From: ale-bounces at ale.org [mailto:ale-bounces at ale.org] On Behalf Of Jim
> > Kinney
> > Sent: Saturday, September 27, 2008 08:57
> > To: ale at ale.org
> > Subject: [ale] sudo, ldap, local user, SLOW!
> >
> > I have a strange problem that I'm not finding a solution to.
> >
> > Server (redhat 5 EL) uses ldap for user authentication and also has some
> > local accounts that are not in ldap. nsswitch is set for files ldap for
> > passwd.
> > I can run "getent passwd | grep localuser" and it returns correct data in
> > about .5 seconds. It does the same for an ldap account check.
> >
> > The fun begins when an ldap user tries to run "sudo su - localuser".
> > (localuser is a process account like "oracle" and others) What the user
> > sees is 2+ minutes of system hang then success. What I see when tailing
> > logs is sudo trying to talk through ldap to get authentication. It shows
> > no connection, failure to bind errors. It eventually times out and at
> that
> > time the user sees the successful su change.
> >
> > sudoers file allows the ldap user to use su.
> >
> > I'm suspicious that something is not talking right with PAM for sudo. It
> > _should_ be getting al its user credentialling through PAM. But the sudo
> > module in PAM is calling system-auth which _has_ the proper local file,
> > ldap stuff since that's how logins are handled.
> >
> > ?????ideas?????
> >
> > --
> > --
> > James P. Kinney III
> >
>
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
>
--
--
James P. Kinney III
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.ale.org/pipermail/ale/attachments/20080929/ba383549/attachment.html
More information about the Ale
mailing list