On Fri, 18 Feb 2011 13:18:36 +0000
JR Aquino <jr.aqu...@citrix.com> wrote:

> I'm afraid not Simo.
> As you recall. Both /etc/sudoers and the 2 Sudo containers in FreeIPA
> are protected.  There is a deliberate default aci which prevents
> anonymous users from enumerating everyones Sudo information.
> This means it is necessary for Sudo to initiate some form of
> authenticated bind.
> And as we discovered, the SUDO SASL implementation is suboptimal in
> that it seems to want a cronjob to sit around kinit'ing
> the /etc/krb5.keytab in order to use it's ccache.

Ouch, I forgot about the ACIs ... I guess we should document how to
remove them as an alternative too ?


Simo Sorce * Red Hat, Inc * New York

Freeipa-devel mailing list

Reply via email to