http://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/kadm5_acl.html
On Wed, Apr 1, 2015 at 8:27 PM, Todd Grayson <tgray...@cloudera.com> wrote: > Rainer, > > Consider that you do not want obfuscate keeping track of users modifying > the KDC database through generic service accounts like admin/admin. As the > later discussion in this thread positions; using the kadm5.acl file to name > users (they dont have to be named with a */admin convention, if you need > specific users to have access with their normal account... but you might > want to consider doing it anyway, so they have to actually enable their > admin access before attempting to modify the KDC. > > The kadm5.acl file also supports defining users limits to who and what can > be modified... > > > On Tue, Mar 31, 2015 at 5:56 AM, Rainer Krienke <krie...@uni-koblenz.de> > wrote: > >> Hello, >> >> I would like to achieve the following. A particular user say "john" logs >> in at a linux system or authenticates in apache against kerberos. >> Now I would like to allow this user "john" to run kadmin commands >> without entering any additional other password. >> >> I first thought that kadmin is like a service and exported the principal >> admin/admin to a keytab file which I copied to a remote system. On this >> system I was then able to call >> >> $ kadmin -k -t /etc/krb5.keytab -p admin/admin >> Authenticating as principal admin/admin with keytab /etc/krb5.keytab. >> kadmin: getprincs >> ... >> >> However this does not work the way I expected. Now I can even destroy >> the user ticket of john with kdestroy -c /tmp/krb5cc_1234 that john got >> when logging into the system and kadmin still works. >> >> What I wanted is that kadmin only works when a particular user has >> logged in and has authenticated against kerberos. Now any user that >> could log in into the system would be able to run kadmin if he has acces >> to the keytab file. >> >> So after all what I want is kerberos based single sign on for kadmin >> usage. >> >> Any idea how to configure this? >> >> Thanks >> Rainer >> -- >> Rainer Krienke, Uni Koblenz, Rechenzentrum, A22, Universitaetsstrasse 1 >> 56070 Koblenz, http://userpages.uni-koblenz.de/~krienke, Tel: +49261287 >> 1312 >> PGP: http://userpages.uni-koblenz.de/~krienke/mypgp.html,Fax: +49261287 >> 1001312 >> >> >> ________________________________________________ >> Kerberos mailing list Kerberos@mit.edu >> https://mailman.mit.edu/mailman/listinfo/kerberos >> >> > > > -- > Todd Grayson > Customer Operations Engineering > > -- Todd Grayson Customer Operations Engineering ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
