Rainer, Consider that you do not want obfuscate keeping track of users modifying the KDC database through generic service accounts like admin/admin. As the later discussion in this thread positions; using the kadm5.acl file to name users (they dont have to be named with a */admin convention, if you need specific users to have access with their normal account... but you might want to consider doing it anyway, so they have to actually enable their admin access before attempting to modify the KDC.
The kadm5.acl file also supports defining users limits to who and what can be modified... On Tue, Mar 31, 2015 at 5:56 AM, Rainer Krienke <krie...@uni-koblenz.de> wrote: > Hello, > > I would like to achieve the following. A particular user say "john" logs > in at a linux system or authenticates in apache against kerberos. > Now I would like to allow this user "john" to run kadmin commands > without entering any additional other password. > > I first thought that kadmin is like a service and exported the principal > admin/admin to a keytab file which I copied to a remote system. On this > system I was then able to call > > $ kadmin -k -t /etc/krb5.keytab -p admin/admin > Authenticating as principal admin/admin with keytab /etc/krb5.keytab. > kadmin: getprincs > ... > > However this does not work the way I expected. Now I can even destroy > the user ticket of john with kdestroy -c /tmp/krb5cc_1234 that john got > when logging into the system and kadmin still works. > > What I wanted is that kadmin only works when a particular user has > logged in and has authenticated against kerberos. Now any user that > could log in into the system would be able to run kadmin if he has acces > to the keytab file. > > So after all what I want is kerberos based single sign on for kadmin usage. > > Any idea how to configure this? > > Thanks > Rainer > -- > Rainer Krienke, Uni Koblenz, Rechenzentrum, A22, Universitaetsstrasse 1 > 56070 Koblenz, http://userpages.uni-koblenz.de/~krienke, Tel: +49261287 > 1312 > PGP: http://userpages.uni-koblenz.de/~krienke/mypgp.html,Fax: +49261287 > 1001312 > > > ________________________________________________ > Kerberos mailing list Kerberos@mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- Todd Grayson Customer Operations Engineering ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
