Hi Rainer, Are you perhaps looking for kinit?
Thanks, Andrew On 31 March 2015 at 13:56, Rainer Krienke <krie...@uni-koblenz.de> wrote: > Hello, > > I would like to achieve the following. A particular user say "john" logs > in at a linux system or authenticates in apache against kerberos. > Now I would like to allow this user "john" to run kadmin commands > without entering any additional other password. > > I first thought that kadmin is like a service and exported the principal > admin/admin to a keytab file which I copied to a remote system. On this > system I was then able to call > > $ kadmin -k -t /etc/krb5.keytab -p admin/admin > Authenticating as principal admin/admin with keytab /etc/krb5.keytab. > kadmin: getprincs > ... > > However this does not work the way I expected. Now I can even destroy > the user ticket of john with kdestroy -c /tmp/krb5cc_1234 that john got > when logging into the system and kadmin still works. > > What I wanted is that kadmin only works when a particular user has > logged in and has authenticated against kerberos. Now any user that > could log in into the system would be able to run kadmin if he has acces > to the keytab file. > > So after all what I want is kerberos based single sign on for kadmin usage. > > Any idea how to configure this? > > Thanks > Rainer > -- > Rainer Krienke, Uni Koblenz, Rechenzentrum, A22, Universitaetsstrasse 1 > 56070 Koblenz, http://userpages.uni-koblenz.de/~krienke, Tel: +49261287 > 1312 > PGP: http://userpages.uni-koblenz.de/~krienke/mypgp.html,Fax: +49261287 > 1001312 > > > ________________________________________________ > Kerberos mailing list Kerberos@mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > > ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
