On Tue, 2014-01-14 at 11:34 -0500, Dmitri Pal wrote:
> On 01/14/2014 06:17 AM, Natxo Asenjo wrote:
> > hi,
> >
> > after using sudo from ipa extensively I needed to configure a local
> > user to also use sudo.
> >
> > This is for monitoring, we use nagios.
> >
> > It works but now I have lots of error messages in /var/log/messages
> > like this one:
> >
> > sudo: GSSAPI Error: Unspecified GSS failure.  Minor code may provide
> > more information (Credentials cache file '/tmp/krb5cc_0' not found)
> >
> > Well, yes, obviously the nagios local user does not have a kerberos
> > ticket. Why the error?
> >
> > I modified /etc/sudoers to allow the nagios user to not use a tty:
> >
> > Defaults:nagios !requiretty
> >
> > And have added nagios config files for sudo in /etc/sudoers.d/
> >
> > nagios  ALL=NOPASSWD: /usr/lib/nagios/plugins/check_logfiles
> >
> > In /etc/nsswitch.conf, sudo looks like this:
> >
> > sudoers:    files ldap
> >
> > Is there anything else I can do or do I just have to live with the
> > error on syslog?

> I wonder if putting this user into the local sssd provider would silence
> it... Just a thought...

Probably not, the question is, why is sudo trying to use roots kerberos
credentials ?

On what platform are you ? With sudo-sssd integration you shouldn't use
directly ldap anymore.

However if you need, what you can do is to have a cronjob generate the 
/tmp/krb5cc_0 ccache from the machine keytab. This will silence the
error, although it will turn into a full bind and search of data in
LDAP. Not sure which you prefer.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to