On Tue, 2014-01-14 at 11:34 -0500, Dmitri Pal wrote: > On 01/14/2014 06:17 AM, Natxo Asenjo wrote: > > hi, > > > > after using sudo from ipa extensively I needed to configure a local > > user to also use sudo. > > > > This is for monitoring, we use nagios. > > > > It works but now I have lots of error messages in /var/log/messages > > like this one: > > > > sudo: GSSAPI Error: Unspecified GSS failure. Minor code may provide > > more information (Credentials cache file '/tmp/krb5cc_0' not found) > > > > Well, yes, obviously the nagios local user does not have a kerberos > > ticket. Why the error? > > > > I modified /etc/sudoers to allow the nagios user to not use a tty: > > > > Defaults:nagios !requiretty > > > > And have added nagios config files for sudo in /etc/sudoers.d/ > > > > nagios ALL=NOPASSWD: /usr/lib/nagios/plugins/check_logfiles > > > > In /etc/nsswitch.conf, sudo looks like this: > > > > sudoers: files ldap > > > > Is there anything else I can do or do I just have to live with the > > error on syslog?
> I wonder if putting this user into the local sssd provider would silence > it... Just a thought... Probably not, the question is, why is sudo trying to use roots kerberos credentials ? On what platform are you ? With sudo-sssd integration you shouldn't use directly ldap anymore. However if you need, what you can do is to have a cronjob generate the /tmp/krb5cc_0 ccache from the machine keytab. This will silence the error, although it will turn into a full bind and search of data in LDAP. Not sure which you prefer. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
