[Freeipa-devel] Scripting the SUDO setup for a client
Simo Sorce
ssorce at redhat.com
Fri Feb 18 13:49:25 UTC 2011
On Fri, 18 Feb 2011 13:18:36 +0000
JR Aquino <JR.Aquino at citrix.com> wrote:
> I'm afraid not Simo.
> As you recall. Both /etc/sudoers and the 2 Sudo containers in FreeIPA
> are protected. There is a deliberate default aci which prevents
> anonymous users from enumerating everyones Sudo information.
>
> This means it is necessary for Sudo to initiate some form of
> authenticated bind.
>
> And as we discovered, the SUDO SASL implementation is suboptimal in
> that it seems to want a cronjob to sit around kinit'ing
> the /etc/krb5.keytab in order to use it's ccache.
Ouch, I forgot about the ACIs ... I guess we should document how to
remove them as an alternative too ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list