[lug] sudo, pam, and SuSE 10.2

[Hugh Brown]

Andrew Diederich wrote:
> I've just installed SuSE 10.2, and configured it to use PAM against my
> active directory server, so I could try and remember just _one_ set of
> passwords.  That was great right out of the box -- it made a machine
> account on the domain, I can login with "domain\windows.username", it
> creates a home directory for me, it's all good.
> 
> What I can't do is get sudo to work.  Sudo just can't seem to identify
> who I am.  I've tried about everything I can think of, but just
> haven't gotten it.  Has anyone else made this go?
> 
> My sudoers file:
> DOMAIN\windows.username ALL=(ALL) ALL
> domain\windows.username ALL=(ALL) ALL
> domain/windows.username ALL=(ALL) ALL
> windows.username        ALL=(ALL) ALL
> %Domain\ windows.username       ALL=(ALL) ALL
> %Domain\windows.username        ALL=(ALL) ALL
> 
> The error I get is "DOMAIN\windows.username is not in the sudoers
> file. This incident will be reported."
> 
> I did turn off the evil SuSE targetpw default, where you need to know
> the target's password to run sudo.  Why they think it's a good idea, I
> have no clue.
> 


having no experience whatsoever in this, my first thought is, does the \ 
need to be escaped?

It looks like sudo thinks of you as DOMAIN\windows.username

You could try running sudo through strace to see what that may tell you.

Also, it looks like %foo refers to a group not a user.  From the brief 
searching of the web, it looks like the common approach is to tell sudo 
to trust a group that you are a member of (if possible, a group that 
only you are a member of).


%mygroup ALL=(ALL) ALL

Hugh