Comment 28 for bug 423252

I was not using a self-signed certificate at the time I reported this
bug.

On Jan 17, 2010, at 5:14 PM, David Tomaschik wrote:

> Is anyone experiencing this bug running an LDAPS server that does NOT
> have a self-signed certificate? I'm wondering if the issue might be
> certificate-related, since using plaintext ldap works.
>
> --
> NSS using LDAP on Karmic breaks 'su' and 'sudo'
> https://bugs.launchpad.net/bugs/423252
> You received this bug notification because you are a direct subscriber
> of the bug.
>
> Status in “glibc” package in Ubuntu: Confirmed
> Status in “sudo” package in Debian: Confirmed
> Status in “sudo” package in Kairos Linux: New
>
> Bug description:
> On Karmic (alpha 4 plus updates), changing the nsswitch.conf
> 'passwd' field to anything with 'ldap' as the first item breaks the
> ability to become root using 'su' and 'sudo' as anyone but root.
>
> Default nsswitch.conf:
>
> passwd: compat
> group: compat
> shadow: compat
>
> matt@box:~$ sudo uname -a
> [sudo] password for matt:
> Linux box 2.6.31-9-server #29-Ubuntu SMP Sun Aug 30 18:37:42 UTC
> 2009 x86_64 GNU/Linux
>
> matt@box:~$ su -
> Password:
> root@box:~#
>
> Modified nsswitch.conf with 'ldap' before 'compat':
>
> passwd: ldap compat
> group: ldap compat
> shadow: ldap compat
>
> matt@box:~$ sudo uname -a
> sudo: setreuid(ROOT_UID, user_uid): Operation not permitted
>
> matt@box:~$ su -
> Password:
> setgid: Operation not permitted
>
> Modified nsswitch.conf with 'ldap' after 'compat':
>
> passwd: compat ldap
> group: compat ldap
> shadow: compat ldap
>
> matt@box:~$ sudo uname -a
> [sudo] password for matt:
> Linux box 2.6.31-9-server #29-Ubuntu SMP Sun Aug 30 18:37:42 UTC
> 2009 x86_64 GNU/Linux
>
> matt@box:~$ su -
> Password:
> root@box:~#
>
> The same arrangements in nsswitch.conf work as expected in Jaunty
> and earlier releases.
>
> To unsubscribe from this bug, go to:
> https://bugs.launchpad.net/ubuntu/+source/glibc/+bug/423252/+subscribe