[39433] in Kerberos
Re: Error - sudo: account validation failure, is your account locked?
daemon@ATHENA.MIT.EDU (Andrej Mikus)
Wed Jun 5 12:20:42 2024
Date: Wed, 5 Jun 2024 18:20:21 +0200
From: Andrej Mikus <a-krb5user@mikus.sk>
To: kerberos@mit.edu
Message-ID: <20240605162021.GA611652@mikus.sk>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <mailman.373.1717603255.2059741.kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Wed, 05.Jun.24 12:00:55 -0400, kerberos-request@mit.edu wrote:
>
> > On May 29, 2024, at 08:21, hareesh kumar <hareeshkumarperugupalli@gmail.com> wrote:
> >
> > Hi Team
> >
> > I am upgrading kerberos latest version 1.21.2 from 1.18 version using
> > docker file .
> > Basically I am installing the kerberos from the community page, unzip and
> > use it in our application.
> >
> > After i installed kerberos and added a new user named kdcuser , gave all
> > the root access to it in the docker file and when i try to create new
> > directory as in /etc directory krb5kdc. I am getting this error message as
> > "sudo: account validation failure, is your account locked?
> > sudo: a password is required".
> >
> > Kindly help me out with this issue
> > here are the docker file steps i am using
> > ENV PATH=/usr/local/go/bin:/usr/local/bin:$PATH \
> > LANG=C.UTF-8 \
> > DEBIAN_FRONTEND=noninteractive
> > ENV KRB5_KDC_PROFILE=/etc/krb5kdc/kdc.conf
> >
> > # Setting up variable for Kerberos version
> > ARG KERBEROS_VERSION=1.21.2
> > ARG GO_VERSION=1.19.1
> >
> > # Download and Install Openssl and OpenSSL FIPS Component
> > RUN set -ex \
> > && apt-get update -y \
> > && apt-get -y install curl perl build-essential bison flex libssl-dev xinetd
> > sudo supervisor iputils-ping vim wget git file \
> > && mkdir -p /usr/local/src/ \
> > && cd /usr/local/src/ \
> > && curl -O https://kerberos.org/dist/krb5/1.21/krb5-1.21.2.tar.gz \
> > && wget https://go.dev/dl/go${GO_VERSION}.linux-amd64.tar.gz \
> > && file krb5-1.21.2.tar.gz \
> > #&& gunzip krb5-1.21.2.tar.gz \
> > && mkdir -p /var/lib/krb5kdc \
> > && mkdir -p /etc/krb5kdc \
> > && tar -xvf krb5-1.21.2.tar.gz \
> > && tar -xzf go${GO_VERSION}.linux-amd64.tar.gz -C /usr/local/ \
> > && cd krb5-${KERBEROS_VERSION}/src \
> > && ./configure --with-crypto-impl=openssl --with-prng-alg=os
> > --localstatedir=/var/lib/ \
> > && LDFLAGS="-L/usr/local/lib64" CPPFLAGS="-I/usr/local/include" ./configure
> > --with-crypto-impl=openssl --with-prng-alg=os --localstatedir=/var/lib/ \
> > && make \
> > && make install \
> > && apt-get remove -y build-essential bison flex mailutils-common \
> > && apt-get remove -y --purge mysql\* \
> > && apt-get autoclean \
> > && apt-get clean
> >
> > RUN adduser --disabled-password --gecos '' kdcuser
> > RUN echo '%sudo ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers
> > RUN echo "kdcuser ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers
> > RUN adduser kdcuser sudo
> > RUN addgroup kdcuser tty
> > RUN usermod -G root kdcuser
> >
> > USER kdcuser
> >
> > # Creating dir to store Go bin and KRB5 Config files
> > RUN sudo mkdir -p /opt/ibm/go \
> > && sudo mkdir -p /etc/krb5kdc
>
> This doesn?t sound like a kerberos question, this sounds entirely like a problem with sudo, unless your sudo auth inside docker is somehow configured to work against kerberos. Is it?
>
> -Dan
I would say that after make install, the system is configured to work
againt kerberos, including sudo.
What I do not understand though is that why would one create a special
user and at the same time give him unlimited sudo rights. Is it not
missing the purpose?
I would not bother with sudoers as broad as here, created the
directories as root, chown/chmod them as appropriate and then let the
new user work within given permissions without ability to become root.
Andrej
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
