sudo, LDAP, and Kerberos

Darek M. darek at
Fri Nov 7 11:58:47 PST 2008

I'm setting up a centralized Kerberos/LDAP authentication system and 
trying to get sudo to use a) Kerberos for the password, and b) LDAP for 
a non-local user's group.

Locally on a client system "/etc/sudoers" specifies %sysadmin to be able 
to sudo to root.  I don't need to move "sudoers" to LDAP just yet.

I've had success on some machines compiling sudo from source with 
--enable-kerb5 and --enable-ldap.  But on many other systems sudo 
segfaults, or returns bus errors, and overall gave me nothing but grief.

So I'm looking for alternate ways of supplying sudo with a user's 
group.  Is it possible to compile sudo (without kerberos and ldap 
support) and configure a pam.d file (/etc/pam.d/sudo) to interact with 
kerberos and LDAP?  I created a sudo file with

auth            sufficient             no_warn 
auth            requisite       no_warn allow_local
auth            sufficient             warn try_first_pass

and running sudo (compiled with only a ./configure, no other options) as 
a non-local user I successfully authenticate, but then sudo has no idea 
of the group this user belongs to and says "not in the sudoers file".  
Is it possible to use PAM as a go-between for sudo and the remote LDAP 
system to provide sudo with the user's group info?

How has everyone else set up a central auth system?  Seems to me sudo's 
configure script has some flaws and I don't want to rely on it.  Maybe 
there's a better way, but aside from sudo acting up, the above would be 
a fine set up for me.

Any pointers appreciated.
- Darek

More information about the freebsd-questions mailing list