How can I force sudo to accept a user's AD password on RHEL6

kerberos sudo rhel6

6,582

Seems like it's a PAM configuration issue. I have a similar setup on our Linux servers---Kerberos authentication against our AD DCs.

Below are the relevant PAM files for comparison.

First, system-auth PAM config which the sudo config depends on:

# cat /etc/pam.d/system-auth
#%PAM-1.0
auth        required      pam_env.so
auth        sufficient    pam_fprintd.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_krb5.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_krb5.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    sufficient    pam_krb5.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_krb5.so

As you could see, this includes the pam_krb5.so module used for Kerberos.

The sudo PAM config files include system-auth and look like this:

# cat /etc/pam.d/sudo
#%PAM-1.0
auth       include      system-auth
account    include      system-auth
password   include      system-auth
session    optional     pam_keyinit.so revoke
session    required     pam_limits.so

# cat /etc/pam.d/sudo-i
#%PAM-1.0
auth       include      sudo
account    include      sudo
password   include      sudo
session    optional     pam_keyinit.so force revoke
session    required     pam_limits.so

PAM could be very powerful but it took me a bit to get my head wrapped around it. Red Hat's documentation helped me out a lot when dealing with PAM issues.

6,582

CJONES

Adventurer, Diver, Writer. FOSS Advocate

Updated on September 18, 2022

Comments

CJONES over 1 year

In our environment we do not join Linux boxes to the Microsoft Domain. We do however setup Kerberos. This allows us to log into the boxes using our AD credentials as long as there is a local account with the same name. However, when I use sudo it only accepts my local credentials. How can I use my AD password with sudo? Thanks.
Fred the Magic Wonder Dog about 10 years

All this is fine, but you really need to have a host keytab on the machine. If you don't then the security of kerberos is compromised and can be spoofed with MITM attacks.