[Freeipa-users] sudo log errors
Simo Sorce
simo at redhat.com
Wed Jan 15 05:49:41 UTC 2014
On Tue, 2014-01-14 at 11:34 -0500, Dmitri Pal wrote:
> On 01/14/2014 06:17 AM, Natxo Asenjo wrote:
> > hi,
> >
> > after using sudo from ipa extensively I needed to configure a local
> > user to also use sudo.
> >
> > This is for monitoring, we use nagios.
> >
> > It works but now I have lots of error messages in /var/log/messages
> > like this one:
> >
> > sudo: GSSAPI Error: Unspecified GSS failure. Minor code may provide
> > more information (Credentials cache file '/tmp/krb5cc_0' not found)
> >
> > Well, yes, obviously the nagios local user does not have a kerberos
> > ticket. Why the error?
> >
> > I modified /etc/sudoers to allow the nagios user to not use a tty:
> >
> > Defaults:nagios !requiretty
> >
> > And have added nagios config files for sudo in /etc/sudoers.d/
> >
> > nagios ALL=NOPASSWD: /usr/lib/nagios/plugins/check_logfiles
> >
> > In /etc/nsswitch.conf, sudo looks like this:
> >
> > sudoers: files ldap
> >
> > Is there anything else I can do or do I just have to live with the
> > error on syslog?
> I wonder if putting this user into the local sssd provider would silence
> it... Just a thought...
Probably not, the question is, why is sudo trying to use roots kerberos
credentials ?
On what platform are you ? With sudo-sssd integration you shouldn't use
directly ldap anymore.
However if you need, what you can do is to have a cronjob generate the
/tmp/krb5cc_0 ccache from the machine keytab. This will silence the
error, although it will turn into a full bind and search of data in
LDAP. Not sure which you prefer.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-users
mailing list