Am 31.03.2015 um 16:15 schrieb Greg Hudson: > On 03/31/2015 07:56 AM, Rainer Krienke wrote: >> I would like to achieve the following. A particular user say "john" logs >> in at a linux system or authenticates in apache against kerberos. >> Now I would like to allow this user "john" to run kadmin commands >> without entering any additional other password. > > You are running into two semi-configured, semi-conventional behaviors: > > 1. By default, kadmin assumes you want to authenticate as username/admin. > > 2. By default, the KDC doesn't accept TGS requests for the kadmin > service; you have to get an initial ticket directory for the service. > Because of this, the kadmin client doesn't even try to make a TGS > request; it either makes an AS request or uses existing tickets. > > My recommendation is that you don't fight these defaults, but use kinit > -S and kadmin -c to avoid having to enter a password for every operation: > > kinit -S kadmin/admin -c /path/to/admin/ccache john/admin > kadmin -c /path/to/admin/ccache
Hello Greg, thank you very much for you explanation. However I first wondered why the credential cache above was named "admin" I guess its not a typo but I still do not understand why the credentials of admin/admin are needed and no other user like john/admin is allowed here? I added a principal john/ad...@myrealm.de to kerberos. Then on the client I run kinit: $ kinit -S kadmin/admin john/admin < johns password> Then I run kadmin on the client system and do not have to enter any password. Say john has uid 1234: $ kadmin -c /tmp/krb5cc_1234 kadmin: getprivs current privileges: GET ADD MODIFY DELETE kadmin: getprinc nfs/linux.uni-koblenz.de get_principal: Operation requires ``get'' privilege while retrieving "nfs/linux.uni-koblenz.de The ACL file /var/lib/kerberos/krb5kdc/kadm5.acl on the server looks like this: # admin/admin * kadmin/admin * kadmin/ad...@myrealm.de * john/admin * john/ad...@myrealm.de * So getprivs says everything is ok, the ACL is set, authentication for john/admin works but I actually cannot get any principal or list principals. The logfile from kerberos tells me: "Unauthorized request: kadm5_get_principal nfs/linux.uni -koblenz...@myrealm.de, client=john/ad...@myrealm.de, service=kadmin/ad m...@myrealm.de" However if I run kinit -S kadmin/admin admin/admin (so actually using principal admin/admin instead of john/admin) things work just fine in eg kadmin: getprincs. Is the principal admin/admin in some way hardcoded in kadmin? Seems I still do not understand the way kerberos works. Can anyone help? Thanks Rainer -- Rainer Krienke, Uni Koblenz, Rechenzentrum, A22, Universitaetsstrasse 1 56070 Koblenz, http://userpages.uni-koblenz.de/~krienke, Tel: +49261287 1312 PGP: http://userpages.uni-koblenz.de/~krienke/mypgp.html,Fax: +49261287 1001312
smime.p7s
Description: S/MIME Cryptographic Signature
________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
