sudo oddities

This is sudo version 1.8.21p2

Whe I ran sudo there were complaints about setuid bits aso. After I have corrected all that stuff the sudo binary looks like follows:


# ls -lEn sudo
---s--x--x -p-- 1 0 0 11964416 Apr 7 06:13 sudo


If I run `sudo -l` as a normal user I get

sudo: kerb5: unable to parse 'DEMNT15': Configuration file does not specify default realm

Where and how do I specify a default realm?

Thanks, Manfred

------------------------------
Manfred Lotz
IBM
------------------------------

Hello Manfred,

The default realm is configured in Kerberos config file, which is /etc/krb5.conf. This config file, however, should already contain proper values if Kerberos is used on your system. If Kerberos is not used, there's no point in adding that file - instead of that, you need to install the version of sudo configured to work without Kerberos. At the moment it is only available in Rocket's secure channel, the package name is sudo_nokrb.

Regards,
Vladimir

------------------------------
Vladimir Ein
Rocket Software
------------------------------

Hello Manfred,

The default realm is configured in Kerberos config file, which is /etc/krb5.conf. This config file, however, should already contain proper values if Kerberos is used on your system. If Kerberos is not used, there's no point in adding that file - instead of that, you need to install the version of sudo configured to work without Kerberos. At the moment it is only available in Rocket's secure channel, the package name is sudo_nokrb.

Regards,
Vladimir

------------------------------
Vladimir Ein
Rocket Software
------------------------------

Hi Vladimir,
Thanks for your reply.

We don't use Kerberos.

If I understand you correctly the public available sudo isn't usable by all who don't use Kerberos. Is there a time frame when Rocket plans to make a sudo without Kerberos available in the public channel?

--
Manfred

------------------------------
Manfred Lotz
IBM
------------------------------

Hi Vladimir,
Thanks for your reply.

We don't use Kerberos.

If I understand you correctly the public available sudo isn't usable by all who don't use Kerberos. Is there a time frame when Rocket plans to make a sudo without Kerberos available in the public channel?

--
Manfred

------------------------------
Manfred Lotz
IBM
------------------------------

It appears that this message is only a warning and does not prevent sudo from working correctly. Unfortunately there's no way to suppress the message.

------------------------------
Vladimir Ein
Rocket Software
------------------------------

It appears that this message is only a warning and does not prevent sudo from working correctly. Unfortunately there's no way to suppress the message.

------------------------------
Vladimir Ein
Rocket Software
------------------------------

I try to understand.

We have

1. The sudo from the previous Rocket Ported Tools, i.e. 1.8.21p2 with build 005-nokrb doesn't show that message.

Makes sense, as it is build without kerberos support.

2. The sudo from the miniconda install (public channel) which is 1.8.21p2 build 3 show that message because it supports kerberos.

You say:
> only a warning and does not prevent sudo from working correctly

You are right. It works ok. Nevertheless, the message is ugly.

The ideal solution would be if the kerberos based sudo could be used without the warning when Kerberos is not used. I almost cannot believe that this wouldn't be possible to configure.

--
Manfred

------------------------------
Manfred Lotz
IBM
------------------------------

I try to understand.

We have

1. The sudo from the previous Rocket Ported Tools, i.e. 1.8.21p2 with build 005-nokrb doesn't show that message.

Makes sense, as it is build without kerberos support.

2. The sudo from the miniconda install (public channel) which is 1.8.21p2 build 3 show that message because it supports kerberos.

You say:
> only a warning and does not prevent sudo from working correctly

You are right. It works ok. Nevertheless, the message is ugly.

The ideal solution would be if the kerberos based sudo could be used without the warning when Kerberos is not used. I almost cannot believe that this wouldn't be possible to configure.

--
Manfred

------------------------------
Manfred Lotz
IBM
------------------------------

Unfortunately it is configured at compile time and cannot be changed at runtime. If sudo is built with Kerberos support, it initializes Kerberos authentication method at startup (no way around that). Without krb5.conf, Kerberos initialization fails, and sudo disables this authentication method and goes on as if there were no Kerberos at all - but there's no way to disable it permanently.

------------------------------
Vladimir Ein
Rocket Software
------------------------------

Unfortunately it is configured at compile time and cannot be changed at runtime. If sudo is built with Kerberos support, it initializes Kerberos authentication method at startup (no way around that). Without krb5.conf, Kerberos initialization fails, and sudo disables this authentication method and goes on as if there were no Kerberos at all - but there's no way to disable it permanently.

------------------------------
Vladimir Ein
Rocket Software
------------------------------

A follow-up on this - sudo_nokrb is expected to show up in the public channel by June 30.

------------------------------
Vladimir Ein
Rocket Software
------------------------------

A follow-up on this - sudo_nokrb is expected to show up in the public channel by June 30.

------------------------------
Vladimir Ein
Rocket Software
------------------------------

Thanks a lot, Vladimir.

Sounds good!


Manfred

------------------------------
Manfred Lotz
IBM
------------------------------