[29943] in Kerberos
RE: Kerberos Ldap Integration
daemon@ATHENA.MIT.EDU (Eric Hill)
Tue Jun 10 10:43:56 2008
From: "Eric Hill" <eric@ijack.net>
Cc: <kerberos@mit.edu>
Date: Tue, 10 Jun 2008 09:42:03 -0500
Message-ID: <001401c8cb08$326a66f0$030a030a@pioneer.world>
MIME-Version: 1.0
In-Reply-To: <a99e3f890806100706q13f96a7cv1d63e737d2027c89@mail.gmail.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
A root user on a system can become any user ID on that system. That's just the way unix security works.
What you are trying to prevent is a root user on system A accessing user data on system B without knowing the users' credentials.
This is precisely what Kerberos prevents. System B will not accept inbound sessions without a Kerberos ticket, and it is impossible
for a root user on system A to gain a TGT for the user without knowing the users' credentials.
Eric
> -----Original Message-----
> From: kerberos-bounces@mit.edu [mailto:kerberos-bounces@mit.edu] On Behalf Of Rodrigo Castro
> Sent: Tuesday, June 10, 2008 9:07 AM
> To: Daniel Savard
> Cc: kerberos@mit.edu
> Subject: Re: Kerberos Ldap Integration
>
> I guess I haven't made myself clear. In my work environment we have many
> labs. Some of them have root priveleges to administrate their own lab. So
> with their root account they can become any ldapuser. This is undesirable.
> Is there any kerberos/ldap configuration to disable this?
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
