Copy: kerberos@mit.edu

On May 29, 2024, at 08:21, hareesh kumar <hareeshkumarperugupalli@gmail.com> wrote:

Hi Team

I am upgrading kerberos latest version 1.21.2 from 1.18 version using
docker file .
Basically I am installing the kerberos from the community page, unzip and
use it in our application.

After i installed kerberos and added a new user named kdcuser , gave all
the root access to it in the docker file and when i try to create new directory as in /etc directory krb5kdc. I am getting this error message as "sudo: account validation failure, is your account locked?
sudo: a password is required".

Kindly help me out with this issue
here are the docker file steps i am using
ENV PATH=/usr/local/go/bin:/usr/local/bin:$PATH \
LANG=C.UTF-8 \
DEBIAN_FRONTEND=noninteractive
ENV KRB5_KDC_PROFILE=/etc/krb5kdc/kdc.conf

# Setting up variable for Kerberos version
ARG KERBEROS_VERSION=1.21.2
ARG GO_VERSION=1.19.1

# Download and Install Openssl and OpenSSL FIPS Component
RUN set -ex \
&& apt-get update -y \
&& apt-get -y install curl perl build-essential bison flex libssl-dev xinetd sudo supervisor iputils-ping vim wget git file \
&& mkdir -p /usr/local/src/ \
&& cd /usr/local/src/ \
&& curl -O https://kerberos.org/dist/krb5/1.21/krb5-1.21.2.tar.gz \
&& wget https://go.dev/dl/go${GO_VERSION}.linux-amd64.tar.gz \
&& file krb5-1.21.2.tar.gz \
#&& gunzip krb5-1.21.2.tar.gz \
&& mkdir -p /var/lib/krb5kdc \
&& mkdir -p /etc/krb5kdc \
&& tar -xvf krb5-1.21.2.tar.gz \
&& tar -xzf go${GO_VERSION}.linux-amd64.tar.gz -C /usr/local/ \
&& cd krb5-${KERBEROS_VERSION}/src \
&& ./configure --with-crypto-impl=openssl --with-prng-alg=os --localstatedir=/var/lib/ \
&& LDFLAGS="-L/usr/local/lib64" CPPFLAGS="-I/usr/local/include" ./configure --with-crypto-impl=openssl --with-prng-alg=os --localstatedir=/var/lib/ \
&& make \
&& make install \
&& apt-get remove -y build-essential bison flex mailutils-common \
&& apt-get remove -y --purge mysql\* \
&& apt-get autoclean \
&& apt-get clean

RUN adduser --disabled-password --gecos '' kdcuser
RUN echo '%sudo ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers
RUN echo "kdcuser ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers
RUN adduser kdcuser sudo
RUN addgroup kdcuser tty
RUN usermod -G root kdcuser

USER kdcuser

# Creating dir to store Go bin and KRB5 Config files
RUN sudo mkdir -p /opt/ibm/go \
&& sudo mkdir -p /etc/krb5kdc

This doesn’t sound like a kerberos question, this sounds entirely like a problem with sudo, unless your sudo auth inside docker is somehow configured to work against kerberos. Is it?

-Dan

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Wed, 05.Jun.24 12:00:55 -0400, kerberos-request@mit.edu wrote:

On May 29, 2024, at 08:21, hareesh kumar <hareeshkumarperugupalli@gmail.com> wrote:

Hi Team

I am upgrading kerberos latest version 1.21.2 from 1.18 version using docker file .
Basically I am installing the kerberos from the community page, unzip and use it in our application.

After i installed kerberos and added a new user named kdcuser , gave all the root access to it in the docker file and when i try to create new directory as in /etc directory krb5kdc. I am getting this error message as "sudo: account validation failure, is your account locked?
sudo: a password is required".

Kindly help me out with this issue
here are the docker file steps i am using
ENV PATH=/usr/local/go/bin:/usr/local/bin:$PATH \
LANG=C.UTF-8 \
DEBIAN_FRONTEND=noninteractive
ENV KRB5_KDC_PROFILE=/etc/krb5kdc/kdc.conf

# Setting up variable for Kerberos version
ARG KERBEROS_VERSION=1.21.2
ARG GO_VERSION=1.19.1

# Download and Install Openssl and OpenSSL FIPS Component
RUN set -ex \
&& apt-get update -y \
&& apt-get -y install curl perl build-essential bison flex libssl-dev xinetd
sudo supervisor iputils-ping vim wget git file \
&& mkdir -p /usr/local/src/ \
&& cd /usr/local/src/ \
&& curl -O https://kerberos.org/dist/krb5/1.21/krb5-1.21.2.tar.gz \
&& wget https://go.dev/dl/go${GO_VERSION}.linux-amd64.tar.gz \
&& file krb5-1.21.2.tar.gz \
#&& gunzip krb5-1.21.2.tar.gz \
&& mkdir -p /var/lib/krb5kdc \
&& mkdir -p /etc/krb5kdc \
&& tar -xvf krb5-1.21.2.tar.gz \
&& tar -xzf go${GO_VERSION}.linux-amd64.tar.gz -C /usr/local/ \
&& cd krb5-${KERBEROS_VERSION}/src \
&& ./configure --with-crypto-impl=openssl --with-prng-alg=os --localstatedir=/var/lib/ \
&& LDFLAGS="-L/usr/local/lib64" CPPFLAGS="-I/usr/local/include" ./configure --with-crypto-impl=openssl --with-prng-alg=os --localstatedir=/var/lib/ \ && make \
&& make install \
&& apt-get remove -y build-essential bison flex mailutils-common \
&& apt-get remove -y --purge mysql\* \
&& apt-get autoclean \
&& apt-get clean

RUN adduser --disabled-password --gecos '' kdcuser
RUN echo '%sudo ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers
RUN echo "kdcuser ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers
RUN adduser kdcuser sudo
RUN addgroup kdcuser tty
RUN usermod -G root kdcuser

USER kdcuser

# Creating dir to store Go bin and KRB5 Config files
RUN sudo mkdir -p /opt/ibm/go \
&& sudo mkdir -p /etc/krb5kdc

This doesn?t sound like a kerberos question, this sounds entirely like a problem with sudo, unless your sudo auth inside docker is somehow configured to work against kerberos. Is it?

-Dan

I would say that after make install, the system is configured to work
againt kerberos, including sudo.

What I do not understand though is that why would one create a special
user and at the same time give him unlimited sudo rights. Is it not
missing the purpose?

I would not bother with sudoers as broad as here, created the
directories as root, chown/chmod them as appropriate and then let the
new user work within given permissions without ability to become root.

Andrej

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)