[873] in Kerberos
Kerberos and adminstration of users
daemon@ATHENA.MIT.EDU (Hugh C. Lauer)
Wed Jan 24 17:51:43 1990
From: lauer@BTC.KODAK.COM (Hugh C. Lauer)
To: kerberos@ATHENA.MIT.EDU
Cc: lauer@BTC.KODAK.COM
I may have had too high an expectation for Kerberos, or perhaps I am
overlooking something obvious. I had hoped that it would help me solve
an adminstration problem of a large number of users over a wide area
network, but upon experimentation it seems that it does not.
What I want to do:- I have a half-dozen or so sites spread across the
country, each with a local system administrator (whom I am prepared to
trust). I want each site to be able to register its own users, but I
want all of the users to be able to login into hosts at the other
sites, either physically when they are travelling or remotely via the
network. When they do, I want them to at least be recognized as
themselves; in a more advanced world, it would be nice to also let them
have their own home directories, etc.
So I started experimenting with Kerberos; for the time being, I avoided
replicated databases and multiple realms. For basics, I tried creating
a number of fictitious users in a single Kerberos database, then set up
and registered some services with the same database. Then I
authenticated myself as one of these fictitious users and tried to do
what a real remote user would have done -- rlogin to one of the
registered servers. The authentication seemed to proceed to
completion, but the server returned an error message of the following form:-
pyramus% rlogin tundra
login: lauer has not given you permission to login without a password.
Password:
The only password that it seemed accept is MY personal password.
Of course, the fictitious user is not registered in /etc/passwd on the
remote machine, so what user id would he have become if he did
successfully log in? do all such users become me?
Am I overlooking something very simple and dumb, or am I expecting too
much of Kerberos? Do I have to register all of the users of all of my
sites in a giant /etc/passwd file and propagate it everywhere? or what?
Thanks,
/Hugh Lauer
Kodak Boston Technology Center
