Environment
Novell Open Enterprise Server 2 (OES 2) Linux
Novell Open Enterprise Server 11 (OES 11) Linux
Novell Open Enterprise Server 11 (OES 11) Linux
Situation
Trying to run "sudo command_or_script" does not successfully run the indicated command_or_script. This is despite the LUM group, that the user is a member of, is properly listed in /etc/sudoers and was added with visudo.
Some error seen were:
Some error seen were:
- multiple "bash: /dev/null: Permission denied" upon login or su to user
- the following info:
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility. - prompted for the password of the user
- if you enter the correct password, you will see:
userName is not in the sudoers file. This incident will be reported.
Resolution
Ensure that any LUM groups in the given eDirectory tree are unique in regards to:
- name of group
- gidNumber of the group
If you find you have 2 groups with the same name, the easiest way to remedy is to rename one of the two groups, and then add that group to the sudoers file with the same authorizations as it's previous name.
Additional Information
LUM requires unique group name and gidNumber for LUM-enabled groups. If there are 2 or more LUM-enabled groups with the same name, you may see odd behavior running sudo or other functions that rely on LUM groups.
A quick way to list all groups that are LUM-enabled is to run the following from a server in the tree:
ldapsearch -x -h localhost -b "(&(objectClass=groupOfNames)(gidNumber=*))"
This will do a subtree search in the current tree, beginning at the [root] of the tree and return every group that has a gid # associated to it -- which is indicative of a LUM-enabled group. You can redirect the output to a file with "> filename" and review that data later.
A quick way to list all groups that are LUM-enabled is to run the following from a server in the tree:
ldapsearch -x -h localhost -b "(&(objectClass=groupOfNames)(gidNumber=*))"
This will do a subtree search in the current tree, beginning at the [root] of the tree and return every group that has a gid # associated to it -- which is indicative of a LUM-enabled group. You can redirect the output to a file with "> filename" and review that data later.