On Wed, Jan 15, 2014 at 6:49 AM, Simo Sorce <s...@redhat.com> wrote:
> On Tue, 2014-01-14 at 11:34 -0500, Dmitri Pal wrote:
>> On 01/14/2014 06:17 AM, Natxo Asenjo wrote:

>> > Is there anything else I can do or do I just have to live with the
>> > error on syslog?
>> I wonder if putting this user into the local sssd provider would silence
>> it... Just a thought...
> Probably not, the question is, why is sudo trying to use roots kerberos
> credentials ?

no idea. According to /etc/nsswitch.conf, it should read local sudoers first:

$ grep sudo /etc/nsswitch.conf
sudoers:    files ldap

The nagios user is a local user that gets installed when installing
nrpe (the nagios agent). This is what gets polled remote by the nagios

> On what platform are you ? With sudo-sssd integration you shouldn't use
> directly ldap anymore.

centos 6.5 on these hosts. So if I use sssd insted of ldap for sudo
this could go away?

> However if you need, what you can do is to have a cronjob generate the
> /tmp/krb5cc_0 ccache from the machine keytab. This will silence the
> error, although it will turn into a full bind and search of data in
> LDAP. Not sure which you prefer.

yes, I had thought of that. Is that a potential risk in your opinion?
I mean, in order to use it, they need root rights and if they have,
well, it could be generated as well. What do you think?

Besides, it should not have to bind because files comes first.

Thanks for taking the time to look into this.



Freeipa-users mailing list

Reply via email to