Hello Andrew, well might be that kinit might be part of the solution of my problem.
The background is simply that I have a database as part of a identy management system holding all data of all users and hosts etc. So this database holds all vital data needed to create and manage windows/linux users and also to create and manage a linux host (like setting ip, mac, hostname, yes/no for nfs access, ...). Now I want to use kerberos mainly for NFS4 and thus I have to enter all users and hosts that exist in this idm database to kerberos eg add nfs/host principals and when a new user is created in the identity management system kerberos needs a new user princiapl entry. This is not a one time process but happens all the time when eg a new user account is needed and created in the idm system. Therefore this should be possible in a secure way without further interactive user intervention. So I thought I use kadmin to feed the kerberos DB and would like to ensure that only authenticated admin users (that have authenticated agains kerberos and thus have a valid TGT ticket) are permitted to run kadmin but then without the need to enter another admin password that is usually requested when calling kadmin remotely. Hope things are a bit clearer now. Thanks Rainer Am 31.03.2015 um 14:00 schrieb Andrew Holway: > Hi Rainer, > > Are you perhaps looking for kinit? > > Thanks, > > Andrew > > On 31 March 2015 at 13:56, Rainer Krienke <krie...@uni-koblenz.de > <mailto:krie...@uni-koblenz.de>> wrote: > > Hello, > > I would like to achieve the following. A particular user say "john" logs > in at a linux system or authenticates in apache against kerberos. > Now I would like to allow this user "john" to run kadmin commands > without entering any additional other password. > > I first thought that kadmin is like a service and exported the principal > admin/admin to a keytab file which I copied to a remote system. On this > system I was then able to call > > $ kadmin -k -t /etc/krb5.keytab -p admin/admin > Authenticating as principal admin/admin with keytab /etc/krb5.keytab. > kadmin: getprincs > ... -- Rainer Krienke, Uni Koblenz, Rechenzentrum, A22, Universitaetsstrasse 1 56070 Koblenz, http://userpages.uni-koblenz.de/~krienke, Tel: +49261287 1312 PGP: http://userpages.uni-koblenz.de/~krienke/mypgp.html,Fax: +49261287 1001312
smime.p7s
Description: S/MIME Cryptographic Signature
________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
