[Freeipa-users] sudo log errors
Natxo Asenjo
natxo.asenjo at gmail.com
Wed Jan 15 09:09:20 UTC 2014
On Wed, Jan 15, 2014 at 6:49 AM, Simo Sorce <simo at redhat.com> wrote:
> On Tue, 2014-01-14 at 11:34 -0500, Dmitri Pal wrote:
>> On 01/14/2014 06:17 AM, Natxo Asenjo wrote:
>> > Is there anything else I can do or do I just have to live with the
>> > error on syslog?
>
>> I wonder if putting this user into the local sssd provider would silence
>> it... Just a thought...
>
> Probably not, the question is, why is sudo trying to use roots kerberos
> credentials ?
no idea. According to /etc/nsswitch.conf, it should read local sudoers first:
$ grep sudo /etc/nsswitch.conf
sudoers: files ldap
The nagios user is a local user that gets installed when installing
nrpe (the nagios agent). This is what gets polled remote by the nagios
server.
> On what platform are you ? With sudo-sssd integration you shouldn't use
> directly ldap anymore.
centos 6.5 on these hosts. So if I use sssd insted of ldap for sudo
this could go away?
> However if you need, what you can do is to have a cronjob generate the
> /tmp/krb5cc_0 ccache from the machine keytab. This will silence the
> error, although it will turn into a full bind and search of data in
> LDAP. Not sure which you prefer.
yes, I had thought of that. Is that a potential risk in your opinion?
I mean, in order to use it, they need root rights and if they have,
well, it could be generated as well. What do you think?
Besides, it should not have to bind because files comes first.
Thanks for taking the time to look into this.
Regards,
--
natxo
More information about the Freeipa-users
mailing list