On Fri, 18 Feb 2011 13:18:36 +0000 JR Aquino <jr.aqu...@citrix.com> wrote:
> I'm afraid not Simo. > As you recall. Both /etc/sudoers and the 2 Sudo containers in FreeIPA > are protected. There is a deliberate default aci which prevents > anonymous users from enumerating everyones Sudo information. > > This means it is necessary for Sudo to initiate some form of > authenticated bind. > > And as we discovered, the SUDO SASL implementation is suboptimal in > that it seems to want a cronjob to sit around kinit'ing > the /etc/krb5.keytab in order to use it's ccache. Ouch, I forgot about the ACIs ... I guess we should document how to remove them as an alternative too ? Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel