[36870] in Kerberos
Re: kadmin remote as a regular user
daemon@ATHENA.MIT.EDU (Todd Grayson)
Wed Apr 1 22:27:57 2015
MIME-Version: 1.0
In-Reply-To: <CALNT6MX1CkQoQi2w7AQouDtQu61hoGAY1O+Of5-T_4OUgkkWUg@mail.gmail.com>
From: Todd Grayson <tgrayson@cloudera.com>
Date: Wed, 1 Apr 2015 20:27:29 -0600
Message-ID: <CALNT6MXsJFFLUiWEKzJFKtGwaSrtOeHJKzEO38Myx=WiurbSZQ@mail.gmail.com>
To: Rainer Krienke <krienke@uni-koblenz.de>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
http://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/kadm5_acl.html
On Wed, Apr 1, 2015 at 8:27 PM, Todd Grayson <tgrayson@cloudera.com> wrote:
> Rainer,
>
> Consider that you do not want obfuscate keeping track of users modifying
> the KDC database through generic service accounts like admin/admin. As the
> later discussion in this thread positions; using the kadm5.acl file to name
> users (they dont have to be named with a */admin convention, if you need
> specific users to have access with their normal account... but you might
> want to consider doing it anyway, so they have to actually enable their
> admin access before attempting to modify the KDC.
>
> The kadm5.acl file also supports defining users limits to who and what can
> be modified...
>
>
> On Tue, Mar 31, 2015 at 5:56 AM, Rainer Krienke <krienke@uni-koblenz.de>
> wrote:
>
>> Hello,
>>
>> I would like to achieve the following. A particular user say "john" logs
>> in at a linux system or authenticates in apache against kerberos.
>> Now I would like to allow this user "john" to run kadmin commands
>> without entering any additional other password.
>>
>> I first thought that kadmin is like a service and exported the principal
>> admin/admin to a keytab file which I copied to a remote system. On this
>> system I was then able to call
>>
>> $ kadmin -k -t /etc/krb5.keytab -p admin/admin
>> Authenticating as principal admin/admin with keytab /etc/krb5.keytab.
>> kadmin: getprincs
>> ...
>>
>> However this does not work the way I expected. Now I can even destroy
>> the user ticket of john with kdestroy -c /tmp/krb5cc_1234 that john got
>> when logging into the system and kadmin still works.
>>
>> What I wanted is that kadmin only works when a particular user has
>> logged in and has authenticated against kerberos. Now any user that
>> could log in into the system would be able to run kadmin if he has acces
>> to the keytab file.
>>
>> So after all what I want is kerberos based single sign on for kadmin
>> usage.
>>
>> Any idea how to configure this?
>>
>> Thanks
>> Rainer
>> --
>> Rainer Krienke, Uni Koblenz, Rechenzentrum, A22, Universitaetsstrasse 1
>> 56070 Koblenz, http://userpages.uni-koblenz.de/~krienke, Tel: +49261287
>> 1312
>> PGP: http://userpages.uni-koblenz.de/~krienke/mypgp.html,Fax: +49261287
>> 1001312
>>
>>
>> ________________________________________________
>> Kerberos mailing list Kerberos@mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>>
>
>
> --
> Todd Grayson
> Customer Operations Engineering
>
>
--
Todd Grayson
Customer Operations Engineering
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
