--- embedaddon/sudo/doc/TROUBLESHOOTING	2012/02/21 16:23:02	1.1.1.1
+++ embedaddon/sudo/doc/TROUBLESHOOTING	2013/10/14 07:56:34	1.1.1.4
@@ -16,15 +16,29 @@ A) As part of the build process, sudo creates a tempor
    you may need to install the SUNWbtool package.  On other systems
    "ar" may be included in the GNU binutils package.
 
-Q) Sudo compiles but when I run it I get "Sorry, sudo must be setuid root."
-   and sudo quits.
-A) Sudo must be setuid root to do its work.  You need to do something like
-   `chmod 4111 /usr/local/bin/sudo'.  Also, the file system sudo resides
-   on must *not* be mounted (or exported) with the nosuid option or sudo
-   will not be able to work.  Another possibility is you may have '.' in
-   your $PATH before the directory containing sudo.  If you are going
-   to have '.' in your path you should make sure it is at the end.
+Q) Sudo compiles and installs OK but when I try to run it I get:
+   /usr/local/bin/sudo must be owned by uid 0 and have the setuid bit set
+A) Sudo must be setuid root to do its work.  Either /usr/local/bin/sudo
+   is not owned by uid 0 or the setuid bit is not set.  This should have
+   been done for you by "make install" but you can fix it manually by
+   running the following as root:
+    # chown root /usr/local/bin/sudo; chmod 4755 /usr/local/bin/sudo
 
+Q) Sudo compiles and installs OK but when I try to run it I get:
+    effective uid is not 0, is /usr/local/bin/sudo on a file system with the
+    'nosuid' option set or an NFS file system without root privileges?
+A) The owner and permissions on the sudo binary appear to be OK but when
+   sudo ran, the setuid bit did not have an effect.  There are two common
+   causes for this.  The first is that the file system the sudo binary
+   is located on is mounted with the 'nosuid' mount option, which disables
+   setuid binaries.  The output of the "mount" command should tell you if
+   the file system is mounted with the 'nosuid' option.  The other possible
+   cause is that sudo is installed on an NFS-mounted file system that is
+   exported without root privileges.  By default, NFS file systems are
+   exported with uid 0 mapped to a non-privileged uid (usually -2).  You
+   should be able to determine whether sudo is located on an NFS-mounted
+   filesystem by running "df `which sudo'".
+
 Q) Sudo never gives me a chance to enter a password using PAM, it just
    says 'Sorry, try again.' three times and exits.
 A) You didn't setup PAM to work with sudo.  On RedHat Linux or Fedora
@@ -49,7 +63,7 @@ A) Make sure you have an entry in your syslog.conf fil
    its conf file.  Also, remember that syslogd does *not* create
    log files, you need to create the file before syslogd will log
    to it (ie: touch /var/log/sudo).
-   Note:  the facility (e.g. "auth.debug") must be separated from the 
+   Note:  the facility (e.g. "auth.debug") must be separated from the
 	  destination (e.g. "/var/log/auth" or "@loghost") by
 	  tabs, *not* spaces.  This is a common error.
 
@@ -121,9 +135,6 @@ A) Sudo removes the following "dangerous" environment 
      _RLD_*
      SHLIB_PATH (HP-UX only)
      LIBPATH (AIX only)
-     KRB_CONF (kerb4 only)
-     KRBCONFDIR (kerb4 only)
-     KRBTKFILE (kerb4 only)
      KRB5_CONFIG (kerb5 only)
      VAR_ACE (SecurID only)
      USR_ACE (SecurID only)
@@ -167,6 +178,17 @@ A) Starting with Solaris 2.6, snprintf(3) is included 
 	#define HAVE_VSNPRINTF 1
    and run make.
 
+Q) I built sudo on a Solaris 11 (or higher) machine but the resulting
+   binary doesn't work older Solaris versions.  Why?
+
+A) Starting with Solaris 11, asprintf(3) is included in the standard
+   C library.  To build a version of sudo on a Solaris 11 machine that
+   will run on an older Solaris release, edit config.h and comment out
+   the lines:
+	#define HAVE_ASPRINTF 1
+	#define HAVE_VASPRINTF 1
+   and run make.
+
 Q) When I run "visudo" it says "sudoers file busy, try again later."
    and doesn't do anything.
 A) Someone else is currently editing the sudoers file with visudo.
@@ -204,6 +226,67 @@ A) ssh does not allocate a tty by default when running
    You can use ssh's "-t" option to force it to allocate a tty.
    Alternately, if you do not mind your password being echoed to the
    screen, you can use the "visiblepw" sudoers option to allow this.
+
+Q) When I try to use SSL-enabled LDAP with sudo I get an error:
+    unable to initialize SSL cert and key db: security library: bad database.
+    you must set TLS_CERT in /etc/ldap.conf to use SSL
+A) On systems that use a Mozilla-derived LDAP SDK there must be a
+   certificate database in place to use SSL-encrypted LDAP connections.
+   This file is usually /var/ldap/cert8.db or /etc/ldap/cert8.db.
+   The actual number after "cert" will vary, depending on the version
+   of the LDAP SDK that is being used.  If you do not have a certificate
+   database you can either copy one from a mozilla-derived browser, such
+   as firefox, or create one using the "certutil" command.  You can run
+   "certutil" as follows and press the <return> (or <enter>) key at the
+   password prompt:
+    # certutil -N -d /var/ldap
+    Enter a password which will be used to encrypt your keys.
+    The password should be at least 8 characters long,
+    and should contain at least one non-alphabetic character.
+
+    Enter new password: <return>
+    Re-enter password: <return>
+
+Q) On HP-UX, when I run command via sudo it displays information
+   about the last successful login and last authentication failure
+   for every command.  How can I fix this?
+A) This output comes from /usr/lib/security/libpam_hpsec.so.1.
+   To suppress it, add a line like the following to /etc/pam.conf:
+   sudo session required libpam_hpsec.so.1 bypass_umask bypass_last_login
+
+Q) On HP-UX, the umask setting in sudoers has no effect.
+A) If your /etc/pam.conf file has the libpam_hpsec.so.1 session module
+   enabled, you may need to a add line like the following to pam.conf:
+   sudo session required libpam_hpsec.so.1 bypass_umask
+
+Q) When I run sudo on AIX I get the following error:
+    setuidx(ID_EFFECTIVE|ID_REAL|ID_SAVED, ROOT_UID): Operation not permitted.
+A) AIX's Enhanced RBAC is preventing sudo from running.  To fix
+   this, add the following entry to /etc/security/privcmds (adjust
+   the path to sudo as needed) and run the setkst command as root:
+
+    /usr/local/bin/sudo:
+	    accessauths = ALLOW_ALL
+	    innateprivs = PV_DAC_GID,PV_DAC_O,PV_DAC_R,PV_DAC_UID,PV_DAC_W,PV_DAC_X,PV_FS_CHOWN,PV_PROC_ENV,PV_PROC_PRIO,PV_PROC_RAC
+	    secflags = FSF_EPS
+
+Q) Sudo configures and builds without error but when I run it I get
+   a Segmentation fault.
+A) If you are on a Linux system, the first thing to try is to run
+   configure with the --disable-pie option, then "make clean" and
+   "make".  If that fixes the problem then your operating system
+   does not properly support position independent executables.
+   Please send a message to sudo@sudo.ws with system details such
+   as the Linux distro, kernel version and CPU architecture.
+
+Q) When I run configure I get the following error:
+    dlopen present but libtool doesn't appear to support your platform.
+A) Libtool doesn't know how to support dynamic linking on the operating
+   system you are building for.  If you are cross-compiling, you need to
+   specify the operating system, not just the CPU type.  For example:
+	--host powerpc-unknown-linux
+   instead of just:
+	--host powerpc
 
 Q) How do you pronounce `sudo'?
 A) The official pronunciation is soo-doo (for su "do").  However, an