On Wed, 05.Jun.24 12:00:55 -0400, kerberos-requ...@mit.edu wrote: > > > On May 29, 2024, at 08:21, hareesh kumar > > <hareeshkumarperugupa...@gmail.com> wrote: > > > > Hi Team > > > > I am upgrading kerberos latest version 1.21.2 from 1.18 version using > > docker file . > > Basically I am installing the kerberos from the community page, unzip and > > use it in our application. > > > > After i installed kerberos and added a new user named kdcuser , gave all > > the root access to it in the docker file and when i try to create new > > directory as in /etc directory krb5kdc. I am getting this error message as > > "sudo: account validation failure, is your account locked? > > sudo: a password is required". > > > > Kindly help me out with this issue > > here are the docker file steps i am using > > ENV PATH=/usr/local/go/bin:/usr/local/bin:$PATH \ > > LANG=C.UTF-8 \ > > DEBIAN_FRONTEND=noninteractive > > ENV KRB5_KDC_PROFILE=/etc/krb5kdc/kdc.conf > > > > # Setting up variable for Kerberos version > > ARG KERBEROS_VERSION=1.21.2 > > ARG GO_VERSION=1.19.1 > > > > # Download and Install Openssl and OpenSSL FIPS Component > > RUN set -ex \ > > && apt-get update -y \ > > && apt-get -y install curl perl build-essential bison flex libssl-dev xinetd > > sudo supervisor iputils-ping vim wget git file \ > > && mkdir -p /usr/local/src/ \ > > && cd /usr/local/src/ \ > > && curl -O https://kerberos.org/dist/krb5/1.21/krb5-1.21.2.tar.gz \ > > && wget https://go.dev/dl/go${GO_VERSION}.linux-amd64.tar.gz \ > > && file krb5-1.21.2.tar.gz \ > > #&& gunzip krb5-1.21.2.tar.gz \ > > && mkdir -p /var/lib/krb5kdc \ > > && mkdir -p /etc/krb5kdc \ > > && tar -xvf krb5-1.21.2.tar.gz \ > > && tar -xzf go${GO_VERSION}.linux-amd64.tar.gz -C /usr/local/ \ > > && cd krb5-${KERBEROS_VERSION}/src \ > > && ./configure --with-crypto-impl=openssl --with-prng-alg=os > > --localstatedir=/var/lib/ \ > > && LDFLAGS="-L/usr/local/lib64" CPPFLAGS="-I/usr/local/include" ./configure > > --with-crypto-impl=openssl --with-prng-alg=os --localstatedir=/var/lib/ \ > > && make \ > > && make install \ > > && apt-get remove -y build-essential bison flex mailutils-common \ > > && apt-get remove -y --purge mysql\* \ > > && apt-get autoclean \ > > && apt-get clean > > > > RUN adduser --disabled-password --gecos '' kdcuser > > RUN echo '%sudo ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers > > RUN echo "kdcuser ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers > > RUN adduser kdcuser sudo > > RUN addgroup kdcuser tty > > RUN usermod -G root kdcuser > > > > USER kdcuser > > > > # Creating dir to store Go bin and KRB5 Config files > > RUN sudo mkdir -p /opt/ibm/go \ > > && sudo mkdir -p /etc/krb5kdc > > This doesn?t sound like a kerberos question, this sounds entirely like a > problem with sudo, unless your sudo auth inside docker is somehow configured > to work against kerberos. Is it? > > -Dan
I would say that after make install, the system is configured to work againt kerberos, including sudo. What I do not understand though is that why would one create a special user and at the same time give him unlimited sudo rights. Is it not missing the purpose? I would not bother with sudoers as broad as here, created the directories as root, chown/chmod them as appropriate and then let the new user work within given permissions without ability to become root. Andrej ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos