Discussion:
Error - sudo: account validation failure, is your account locked?
(too old to reply)
hareesh kumar
2024-05-29 12:21:20 UTC
Permalink
Hi Team

I am upgrading kerberos latest version 1.21.2 from 1.18 version using
docker file .
Basically I am installing the kerberos from the community page, unzip and
use it in our application.

After i installed kerberos and added a new user named kdcuser , gave all
the root access to it in the docker file and when i try to create new
directory as in /etc directory krb5kdc. I am getting this error message as
"sudo: account validation failure, is your account locked?
sudo: a password is required".

Kindly help me out with this issue
here are the docker file steps i am using
ENV PATH=/usr/local/go/bin:/usr/local/bin:$PATH \
LANG=C.UTF-8 \
DEBIAN_FRONTEND=noninteractive
ENV KRB5_KDC_PROFILE=/etc/krb5kdc/kdc.conf

# Setting up variable for Kerberos version
ARG KERBEROS_VERSION=1.21.2
ARG GO_VERSION=1.19.1

# Download and Install Openssl and OpenSSL FIPS Component
RUN set -ex \
&& apt-get update -y \
&& apt-get -y install curl perl build-essential bison flex libssl-dev xinetd
sudo supervisor iputils-ping vim wget git file \
&& mkdir -p /usr/local/src/ \
&& cd /usr/local/src/ \
&& curl -O https://kerberos.org/dist/krb5/1.21/krb5-1.21.2.tar.gz \
&& wget https://go.dev/dl/go${GO_VERSION}.linux-amd64.tar.gz \
&& file krb5-1.21.2.tar.gz \
#&& gunzip krb5-1.21.2.tar.gz \
&& mkdir -p /var/lib/krb5kdc \
&& mkdir -p /etc/krb5kdc \
&& tar -xvf krb5-1.21.2.tar.gz \
&& tar -xzf go${GO_VERSION}.linux-amd64.tar.gz -C /usr/local/ \
&& cd krb5-${KERBEROS_VERSION}/src \
&& ./configure --with-crypto-impl=openssl --with-prng-alg=os
--localstatedir=/var/lib/ \
&& LDFLAGS="-L/usr/local/lib64" CPPFLAGS="-I/usr/local/include" ./configure
--with-crypto-impl=openssl --with-prng-alg=os --localstatedir=/var/lib/ \
&& make \
&& make install \
&& apt-get remove -y build-essential bison flex mailutils-common \
&& apt-get remove -y --purge mysql\* \
&& apt-get autoclean \
&& apt-get clean

RUN adduser --disabled-password --gecos '' kdcuser
RUN echo '%sudo ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers
RUN echo "kdcuser ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers
RUN adduser kdcuser sudo
RUN addgroup kdcuser tty
RUN usermod -G root kdcuser

USER kdcuser

# Creating dir to store Go bin and KRB5 Config files
RUN sudo mkdir -p /opt/ibm/go \
&& sudo mkdir -p /etc/krb5kdc
Dan Mahoney
2024-06-05 05:04:30 UTC
Permalink
Post by hareesh kumar
Hi Team
I am upgrading kerberos latest version 1.21.2 from 1.18 version using
docker file .
Basically I am installing the kerberos from the community page, unzip and
use it in our application.
After i installed kerberos and added a new user named kdcuser , gave all
the root access to it in the docker file and when i try to create new
directory as in /etc directory krb5kdc. I am getting this error message as
"sudo: account validation failure, is your account locked?
sudo: a password is required".
Kindly help me out with this issue
here are the docker file steps i am using
ENV PATH=/usr/local/go/bin:/usr/local/bin:$PATH \
LANG=C.UTF-8 \
DEBIAN_FRONTEND=noninteractive
ENV KRB5_KDC_PROFILE=/etc/krb5kdc/kdc.conf
# Setting up variable for Kerberos version
ARG KERBEROS_VERSION=1.21.2
ARG GO_VERSION=1.19.1
# Download and Install Openssl and OpenSSL FIPS Component
RUN set -ex \
&& apt-get update -y \
&& apt-get -y install curl perl build-essential bison flex libssl-dev xinetd
sudo supervisor iputils-ping vim wget git file \
&& mkdir -p /usr/local/src/ \
&& cd /usr/local/src/ \
&& curl -O https://kerberos.org/dist/krb5/1.21/krb5-1.21.2.tar.gz \
&& wget https://go.dev/dl/go${GO_VERSION}.linux-amd64.tar.gz \
&& file krb5-1.21.2.tar.gz \
#&& gunzip krb5-1.21.2.tar.gz \
&& mkdir -p /var/lib/krb5kdc \
&& mkdir -p /etc/krb5kdc \
&& tar -xvf krb5-1.21.2.tar.gz \
&& tar -xzf go${GO_VERSION}.linux-amd64.tar.gz -C /usr/local/ \
&& cd krb5-${KERBEROS_VERSION}/src \
&& ./configure --with-crypto-impl=openssl --with-prng-alg=os
--localstatedir=/var/lib/ \
&& LDFLAGS="-L/usr/local/lib64" CPPFLAGS="-I/usr/local/include" ./configure
--with-crypto-impl=openssl --with-prng-alg=os --localstatedir=/var/lib/ \
&& make \
&& make install \
&& apt-get remove -y build-essential bison flex mailutils-common \
&& apt-get remove -y --purge mysql\* \
&& apt-get autoclean \
&& apt-get clean
RUN adduser --disabled-password --gecos '' kdcuser
RUN echo '%sudo ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers
RUN echo "kdcuser ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers
RUN adduser kdcuser sudo
RUN addgroup kdcuser tty
RUN usermod -G root kdcuser
USER kdcuser
# Creating dir to store Go bin and KRB5 Config files
RUN sudo mkdir -p /opt/ibm/go \
&& sudo mkdir -p /etc/krb5kdc
This doesn’t sound like a kerberos question, this sounds entirely like a problem with sudo, unless your sudo auth inside docker is somehow configured to work against kerberos. Is it?

-Dan
Andrej Mikus
2024-06-05 16:20:21 UTC
Permalink
Post by hareesh kumar
Hi Team
I am upgrading kerberos latest version 1.21.2 from 1.18 version using
docker file .
Basically I am installing the kerberos from the community page, unzip and
use it in our application.
After i installed kerberos and added a new user named kdcuser , gave all
the root access to it in the docker file and when i try to create new
directory as in /etc directory krb5kdc. I am getting this error message as
"sudo: account validation failure, is your account locked?
sudo: a password is required".
Kindly help me out with this issue
here are the docker file steps i am using
ENV PATH=/usr/local/go/bin:/usr/local/bin:$PATH \
LANG=C.UTF-8 \
DEBIAN_FRONTEND=noninteractive
ENV KRB5_KDC_PROFILE=/etc/krb5kdc/kdc.conf
# Setting up variable for Kerberos version
ARG KERBEROS_VERSION=1.21.2
ARG GO_VERSION=1.19.1
# Download and Install Openssl and OpenSSL FIPS Component
RUN set -ex \
&& apt-get update -y \
&& apt-get -y install curl perl build-essential bison flex libssl-dev xinetd
sudo supervisor iputils-ping vim wget git file \
&& mkdir -p /usr/local/src/ \
&& cd /usr/local/src/ \
&& curl -O https://kerberos.org/dist/krb5/1.21/krb5-1.21.2.tar.gz \
&& wget https://go.dev/dl/go${GO_VERSION}.linux-amd64.tar.gz \
&& file krb5-1.21.2.tar.gz \
#&& gunzip krb5-1.21.2.tar.gz \
&& mkdir -p /var/lib/krb5kdc \
&& mkdir -p /etc/krb5kdc \
&& tar -xvf krb5-1.21.2.tar.gz \
&& tar -xzf go${GO_VERSION}.linux-amd64.tar.gz -C /usr/local/ \
&& cd krb5-${KERBEROS_VERSION}/src \
&& ./configure --with-crypto-impl=openssl --with-prng-alg=os
--localstatedir=/var/lib/ \
&& LDFLAGS="-L/usr/local/lib64" CPPFLAGS="-I/usr/local/include" ./configure
--with-crypto-impl=openssl --with-prng-alg=os --localstatedir=/var/lib/ \
&& make \
&& make install \
&& apt-get remove -y build-essential bison flex mailutils-common \
&& apt-get remove -y --purge mysql\* \
&& apt-get autoclean \
&& apt-get clean
RUN adduser --disabled-password --gecos '' kdcuser
RUN echo '%sudo ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers
RUN echo "kdcuser ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers
RUN adduser kdcuser sudo
RUN addgroup kdcuser tty
RUN usermod -G root kdcuser
USER kdcuser
# Creating dir to store Go bin and KRB5 Config files
RUN sudo mkdir -p /opt/ibm/go \
&& sudo mkdir -p /etc/krb5kdc
This doesn?t sound like a kerberos question, this sounds entirely like a problem with sudo, unless your sudo auth inside docker is somehow configured to work against kerberos. Is it?
-Dan
I would say that after make install, the system is configured to work
againt kerberos, including sudo.

What I do not understand though is that why would one create a special
user and at the same time give him unlimited sudo rights. Is it not
missing the purpose?

I would not bother with sudoers as broad as here, created the
directories as root, chown/chmod them as appropriate and then let the
new user work within given permissions without ability to become root.

Andrej

Loading...