[36863] in Kerberos
kadmin remote as a regular user
daemon@ATHENA.MIT.EDU (Rainer Krienke)
Tue Mar 31 07:57:15 2015
Message-ID: <551A8B84.6080006@uni-koblenz.de>
Date: Tue, 31 Mar 2015 13:56:52 +0200
From: Rainer Krienke <krienke@uni-koblenz.de>
MIME-Version: 1.0
To: kerberos@mit.edu
Content-Type: multipart/mixed; boundary="===============1985713478=="
Errors-To: kerberos-bounces@mit.edu
This is a cryptographically signed message in MIME format.
--===============1985713478==
Content-Type: multipart/signed; protocol="application/pkcs7-signature";
micalg=sha1; boundary="------------ms080402080106040409070503"
This is a cryptographically signed message in MIME format.
--------------ms080402080106040409070503
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Hello,
I would like to achieve the following. A particular user say "john" logs
in at a linux system or authenticates in apache against kerberos.
Now I would like to allow this user "john" to run kadmin commands
without entering any additional other password.
I first thought that kadmin is like a service and exported the principal
admin/admin to a keytab file which I copied to a remote system. On this
system I was then able to call
$ kadmin -k -t /etc/krb5.keytab -p admin/admin
Authenticating as principal admin/admin with keytab /etc/krb5.keytab.
kadmin: getprincs
=2E..
However this does not work the way I expected. Now I can even destroy
the user ticket of john with kdestroy -c /tmp/krb5cc_1234 that john got
when logging into the system and kadmin still works.
What I wanted is that kadmin only works when a particular user has
logged in and has authenticated against kerberos. Now any user that
could log in into the system would be able to run kadmin if he has acces
to the keytab file.
So after all what I want is kerberos based single sign on for kadmin usag=
e.
Any idea how to configure this?
Thanks
Rainer
--=20
Rainer Krienke, Uni Koblenz, Rechenzentrum, A22, Universitaetsstrasse 1
56070 Koblenz, http://userpages.uni-koblenz.de/~krienke, Tel: +49261287 1=
312
PGP: http://userpages.uni-koblenz.de/~krienke/mypgp.html,Fax: +49261287
1001312
--------------ms080402080106040409070503
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIPwDCC
BNUwggO9oAMCAQICCFBOxvU9EbRkMA0GCSqGSIb3DQEBCwUAMHExCzAJBgNVBAYTAkRFMRww
GgYDVQQKExNEZXV0c2NoZSBUZWxla29tIEFHMR8wHQYDVQQLExZULVRlbGVTZWMgVHJ1c3Qg
Q2VudGVyMSMwIQYDVQQDExpEZXV0c2NoZSBUZWxla29tIFJvb3QgQ0EgMjAeFw0xNDA3MjIx
MjA4MjZaFw0xOTA3MDkyMzU5MDBaMFoxCzAJBgNVBAYTAkRFMRMwEQYDVQQKEwpERk4tVmVy
ZWluMRAwDgYDVQQLEwdERk4tUEtJMSQwIgYDVQQDExtERk4tVmVyZWluIFBDQSBHbG9iYWwg
LSBHMDEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDpm8NnhfkNrvWNVMOWUDU9
YuluTO2U1wBblSJ01CDrNI/W7MAxBAuZgeKmFNJSoCgjhIt0iQReW+DieMF4yxbLKDU5ey2Q
RdDtoAB6fL9KDhsAw4bpXCsxEXsM84IkQ4wcOItqaACa7txPeKvSxhObdq3u3ibo7wGvdA/B
CaL2a869080UME/15eOkyGKbghoDJzANAmVgTe3RCSMqljVYJ9N2xnG2kB3E7f81hn1vM7Pb
D8URwoqDoZRdQWvY0hD1TP3KUazZve+Sg7va64sWVlZDz+HVEz2mHycwzUlU28kTNJpxdcVs
6qcLmPkhnSevPqM5OUhqjK3JmfvDEvK9AgMBAAGjggGGMIIBgjAOBgNVHQ8BAf8EBAMCAQYw
HQYDVR0OBBYEFEm3xs/oPR9/6kR7Eyn38QpwPt5kMB8GA1UdIwQYMBaAFDHDeRu69VPXF+CJ
ei0XbAqzK50zMBIGA1UdEwEB/wQIMAYBAf8CAQIwYgYDVR0gBFswWTARBg8rBgEEAYGtIYIs
AQEEAgIwEQYPKwYBBAGBrSGCLAEBBAMAMBEGDysGAQQBga0hgiwBAQQDATAPBg0rBgEEAYGt
IYIsAQEEMA0GCysGAQQBga0hgiweMD4GA1UdHwQ3MDUwM6AxoC+GLWh0dHA6Ly9wa2kwMzM2
LnRlbGVzZWMuZGUvcmwvRFRfUk9PVF9DQV8yLmNybDB4BggrBgEFBQcBAQRsMGowLAYIKwYB
BQUHMAGGIGh0dHA6Ly9vY3NwMDMzNi50ZWxlc2VjLmRlL29jc3ByMDoGCCsGAQUFBzAChi5o
dHRwOi8vcGtpMDMzNi50ZWxlc2VjLmRlL2NydC9EVF9ST09UX0NBXzIuY2VyMA0GCSqGSIb3
DQEBCwUAA4IBAQBjICj9nCGGcr45Rlk5MiW8qQGbDczKfUGchm0KbiyzE1l1sTOSG2EnFv/D
stU1gvuEKgFJvWa7Zi+ywgZdbj9u4wFaW8pDY1yVtuExpx/VB19N5mWCTjL5w3x6S81NXHTu
IfJ1AuxSPtLJatOQI25JZzW+f01WpOzML8+3oZeocj7JvEDWWqQIPda8gsO3tzKOsSyOam23
NQIZz/U5RFhjpyQAELC7/E6vbi84u6VXST/YblBvLJeW3B1GmmWJz67M8uXZn1OzPqEvkqnY
C8aEHwTG6x7on321e6UC8STFJGMRNMxakyAqeYg6JUKQqWU7fIbTEhUjKfws2sw5W1QXMIIF
XjCCBEagAwIBAgIHF5mf2lfXsjANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJERTETMBEG
A1UEChMKREZOLVZlcmVpbjEQMA4GA1UECxMHREZOLVBLSTEkMCIGA1UEAxMbREZOLVZlcmVp
biBQQ0EgR2xvYmFsIC0gRzAxMB4XDTE0MDUxOTE1MjQ1OFoXDTE5MDcwOTIzNTkwMFowgYIx
CzAJBgNVBAYTAkRFMTkwNwYDVQQKEzBSZWdpb25hbGVzIEhvY2hzY2h1bHJlY2hlbnplbnRy
dW0gS2Fpc2Vyc2xhdXRlcm4xFjAUBgNVBAMTDVJIUkstQ0EgLSBHMDIxIDAeBgkqhkiG9w0B
CQEWEWNhQHJocmsudW5pLWtsLmRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
rkBDHdIGttkOw7WYdJ2BisOniuHlJCPep/0pUeTb9QFLZaprodeeRm6kFix2XGl3h4imLu7d
Gwtu8oRRpGcZ6tm3i2VSpw1zxxk9uUV2sMiRHK2HVkN3qWFwq/RBOgPEaVNhdF5hMz7QZjZr
dXtXOM4LGG8kBZqD75Q+U0mbtDagOL1NIwtJuY3YqnL/6Hvptb4F30RDVUnYmhsWVX+RCNaM
vO1rU9gHHONICEv8AAP1XKRX4L7lB77wDpNZL6CImPp+xPHybnU6e98QjTa3InO40E8sCKch
XrWfpKeuwW8iXSTwjEp7zuhS39oDPwHmNYzPLEF4NO1LSUKK1PNFswIDAQABo4IB/jCCAfow
EgYDVR0TAQH/BAgwBgEB/wIBATAOBgNVHQ8BAf8EBAMCAQYwEQYDVR0gBAowCDAGBgRVHSAA
MB0GA1UdDgQWBBQv3ROYY1wLw2+47YbgAyfBb7q2AjAfBgNVHSMEGDAWgBRJt8bP6D0ff+pE
exMp9/EKcD7eZDAcBgNVHREEFTATgRFjYUByaHJrLnVuaS1rbC5kZTCBiAYDVR0fBIGAMH4w
PaA7oDmGN2h0dHA6Ly9jZHAxLnBjYS5kZm4uZGUvZ2xvYmFsLXJvb3QtY2EvcHViL2NybC9j
YWNybC5jcmwwPaA7oDmGN2h0dHA6Ly9jZHAyLnBjYS5kZm4uZGUvZ2xvYmFsLXJvb3QtY2Ev
cHViL2NybC9jYWNybC5jcmwwgdcGCCsGAQUFBwEBBIHKMIHHMDMGCCsGAQUFBzABhidodHRw
Oi8vb2NzcC5wY2EuZGZuLmRlL09DU1AtU2VydmVyL09DU1AwRwYIKwYBBQUHMAKGO2h0dHA6
Ly9jZHAxLnBjYS5kZm4uZGUvZ2xvYmFsLXJvb3QtY2EvcHViL2NhY2VydC9jYWNlcnQuY3J0
MEcGCCsGAQUFBzAChjtodHRwOi8vY2RwMi5wY2EuZGZuLmRlL2dsb2JhbC1yb290LWNhL3B1
Yi9jYWNlcnQvY2FjZXJ0LmNydDANBgkqhkiG9w0BAQsFAAOCAQEA3rH+7oW8Dj5JvS3ijKWD
ByPxQpZispCRD/tR3Jx/wr/2z5B6NiozII7uAvd9ruZwBG/X4tmb2u+72FsymXJS1E+iffMJ
e18LsSUmE2wC61a/OFinQyVdz2GJJG+T59yEZARvEh+iRvaasX8ox0j80JR2mDwjnSKy1zBY
zk7Hg3gdgCjqAffWt0I/BsiV+mHdOWG/ubljt+j7jsCqBobUixc1wEXwSzzSq+sO5Xn7Mqst
pT2O9JkuCVcxhcKVEDAq6vErEpvJLafwkd5j+lkUaqnPQU8l449+ClRXlRcQUS7fy3C1zpi2
iR1RweUMoybqv7/7H6RU3g+cLiFgssc8fTCCBYEwggRpoAMCAQICBxjW+6gaJIQwDQYJKoZI
hvcNAQELBQAwgYIxCzAJBgNVBAYTAkRFMTkwNwYDVQQKEzBSZWdpb25hbGVzIEhvY2hzY2h1
bHJlY2hlbnplbnRydW0gS2Fpc2Vyc2xhdXRlcm4xFjAUBgNVBAMTDVJIUkstQ0EgLSBHMDIx
IDAeBgkqhkiG9w0BCQEWEWNhQHJocmsudW5pLWtsLmRlMB4XDTE1MDExNTA4NDUxM1oXDTE4
MDExNDA4NDUxM1owTDELMAkGA1UEBhMCREUxJDAiBgNVBAoTG1VuaXZlcnNpdGFldCBLb2Js
ZW56LUxhbmRhdTEXMBUGA1UEAxMOUmFpbmVyIEtyaWVua2UwggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQC3fk7YzkNprbcZLd1q5RPDhU0s7G4WNk7zlvhn3Qvtw7Dd9WXb+GCU
eDvWmjW5047V/mo+XSvGVow8b2vh8EYTaqrJtlahzKeGdnzx66vfEtG59WOPW4OJjz29wePZ
/SC+ihe/z6eHYlYvd7KNbLYSLrBtHzETfLsQfxA7WrSU49y2tyhWt+uGWpf9KDLXhgDSDXkE
GAlblcnF5Dy1a3s1ovpDz7sGIEtLb10Vmqzkl6ujvrFoC+XCWRA9LUHlGZoRhxMFGTfESQnu
OS4eEbsHbYa6hIl1RM/GOJZ+2f5tTLDwCemVpRgbw/A6VLtrf3BgbUFxV9HVpSDogqerBXSx
AgMBAAGjggIvMIICKzBABgNVHSAEOTA3MBEGDysGAQQBga0hgiwBAQQDAzARBg8rBgEEAYGt
IYIsAgEEAwEwDwYNKwYBBAGBrSGCLAEBBDAJBgNVHRMEAjAAMAsGA1UdDwQEAwIF4DAdBgNV
HSUEFjAUBggrBgEFBQcDAgYIKwYBBQUHAwQwHQYDVR0OBBYEFMEK3ZjogAOrQN9kqcad7GXo
IV9fMB8GA1UdIwQYMBaAFC/dE5hjXAvDb7jthuADJ8FvurYCMCEGA1UdEQQaMBiBFmtyaWVu
a2VAdW5pLWtvYmxlbnouZGUwfQYDVR0fBHYwdDA4oDagNIYyaHR0cDovL2NkcDEucGNhLmRm
bi5kZS9yaHJrLWNhL3B1Yi9jcmwvZ19jYWNybC5jcmwwOKA2oDSGMmh0dHA6Ly9jZHAyLnBj
YS5kZm4uZGUvcmhyay1jYS9wdWIvY3JsL2dfY2FjcmwuY3JsMIHNBggrBgEFBQcBAQSBwDCB
vTAzBggrBgEFBQcwAYYnaHR0cDovL29jc3AucGNhLmRmbi5kZS9PQ1NQLVNlcnZlci9PQ1NQ
MEIGCCsGAQUFBzAChjZodHRwOi8vY2RwMS5wY2EuZGZuLmRlL3JocmstY2EvcHViL2NhY2Vy
dC9nX2NhY2VydC5jcnQwQgYIKwYBBQUHMAKGNmh0dHA6Ly9jZHAyLnBjYS5kZm4uZGUvcmhy
ay1jYS9wdWIvY2FjZXJ0L2dfY2FjZXJ0LmNydDANBgkqhkiG9w0BAQsFAAOCAQEARlGSlU2N
HUZUceWqCORu6GE01oJ4zlhBWzom12dCfDKQWdNh4ENsL/HBFvnXaUxiwBWtCuRtjougXPh0
6lTTgKMpTBvHqjp+YVBJjQiRXG8Pi03uQCgb6GmRn/rsQQCjNEpW0ooR2PeVLQxI8HcjY1Nu
2J7uyaEP9LXl0t1CdqQNtPkfKU6dFA/faZLPKrlDlDQhwwQteqRBu3BraD/vx+9DvHpW8GuY
A9nkm4ajLFZ6aFoHSzNg5B/e0w9ftJ8/QYjsC22B0a348kkYLcG2E7o62ruWHhGBZbPwtjzR
laMp6lVLB9AWMyR6nUMRcyqRrBDKXN9nfxoBJ1qJoCSi4jGCA8swggPHAgEBMIGOMIGCMQsw
CQYDVQQGEwJERTE5MDcGA1UEChMwUmVnaW9uYWxlcyBIb2Noc2NodWxyZWNoZW56ZW50cnVt
IEthaXNlcnNsYXV0ZXJuMRYwFAYDVQQDEw1SSFJLLUNBIC0gRzAyMSAwHgYJKoZIhvcNAQkB
FhFjYUByaHJrLnVuaS1rbC5kZQIHGNb7qBokhDAJBgUrDgMCGgUAoIICETAYBgkqhkiG9w0B
CQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xNTAzMzExMTU2NTJaMCMGCSqGSIb3
DQEJBDEWBBSpjUtR7yL79Kuz3KZQkVUil3df5jBsBgkqhkiG9w0BCQ8xXzBdMAsGCWCGSAFl
AwQBKjALBglghkgBZQMEAQIwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3
DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMIGfBgkrBgEEAYI3EAQxgZEwgY4wgYIx
CzAJBgNVBAYTAkRFMTkwNwYDVQQKEzBSZWdpb25hbGVzIEhvY2hzY2h1bHJlY2hlbnplbnRy
dW0gS2Fpc2Vyc2xhdXRlcm4xFjAUBgNVBAMTDVJIUkstQ0EgLSBHMDIxIDAeBgkqhkiG9w0B
CQEWEWNhQHJocmsudW5pLWtsLmRlAgcY1vuoGiSEMIGhBgsqhkiG9w0BCRACCzGBkaCBjjCB
gjELMAkGA1UEBhMCREUxOTA3BgNVBAoTMFJlZ2lvbmFsZXMgSG9jaHNjaHVscmVjaGVuemVu
dHJ1bSBLYWlzZXJzbGF1dGVybjEWMBQGA1UEAxMNUkhSSy1DQSAtIEcwMjEgMB4GCSqGSIb3
DQEJARYRY2FAcmhyay51bmkta2wuZGUCBxjW+6gaJIQwDQYJKoZIhvcNAQEBBQAEggEApNwX
LYKntY9G3L5TqZr2cpUNpu9rY7Y5P5xK3geZPfkucPASuirXgU0AtVnD4sX+4cG7d4bjXpcp
Pu5+xnoJXwXMmX/gJiIyGpswTeu1zgWWT0C60qENnGDifXz2kxRsGsC0wM74JSTZohVo675y
YKskbgZmPXMamTYSdEuI+ZJ79Y1/nTVmFG25BGcqa3iuxCwoLH3fUcvQmsZTZ/SdMyX5/ysR
0cGOrKKzk5pfaBeHViYU/KqhA/U8vYGQ6dn54vbVNx1IIL2pwDaKOz9/O5SBNHGabg3QxS1+
QLQ7cAs0QgVcERX0+Ja4IZe/If0Ven54UAPvq2t8jOjOQPkHAQAAAAAAAA==
--------------ms080402080106040409070503--
--===============1985713478==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
--===============1985713478==--
