[29770] in Kerberos
kadmin.acl usage.
daemon@ATHENA.MIT.EDU (clockwork)
Mon Apr 28 15:19:54 2008
Message-ID: <5849d9130804281217r25eec3a0u82d68c115fb6e4f5@mail.gmail.com>
Date: Mon, 28 Apr 2008 15:17:15 -0400
From: clockwork <clockwork@sigsys.org>
To: kerberos@mit.edu
MIME-Version: 1.0
Content-Disposition: inline
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
So we have a kerberos instance at work, and we'd like to delegate limited
admin abilities (namely host and service keytab creation) to some
developers. We dont want to create a seperate realm for this, and doing some
research on the ACL capabilities leads me to believe that this should be
doable. I'm thinking the following should work:
royce/admin@SIGSYS.ORG C */lab.sigsys.org@SIGSYS.ORG
that should allow the dev in question 'royce' to create principle's for
host/foo2.lab.bit.org or http/foo.lab.bit.org (or anything in the .
lab.bit.org space) but not change any passwords. Will this work ? Most of
the docs refer to 'instance' and I'm not entirely sure that this logic
applies to names or specific things setup within the realm itself.
Any feedback or assistance is appreciated.
-C
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
