Re: kadmin remote as a regular user

2015-04-02 Thread Rainer Krienke
Am 01.04.2015 um 18:04 schrieb Benjamin Kaduk: > On Wed, 1 Apr 2015, Rainer Krienke wrote: > >> The ACL file /var/lib/kerberos/krb5kdc/kadm5.acl on the server looks >> like this: >> # >> admin/admin * >> kadmin/admin* >> kadmin/ad...@myrealm.de * >> john/admin * >> john/ad...@myrealm

Re: kadmin remote as a regular user

2015-04-01 Thread Todd Grayson
Rainer, Consider that you do not want obfuscate keeping track of users modifying the KDC database through generic service accounts like admin/admin. As the later discussion in this thread positions; using the kadm5.acl file to name users (they dont have to be named with a */admin convention, if y

Re: kadmin remote as a regular user

2015-04-01 Thread Todd Grayson
http://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/kadm5_acl.html On Wed, Apr 1, 2015 at 8:27 PM, Todd Grayson wrote: > Rainer, > > Consider that you do not want obfuscate keeping track of users modifying > the KDC database through generic service accounts like admin/admin. As the > lat

Re: kadmin remote as a regular user

2015-04-01 Thread Benjamin Kaduk
On Wed, 1 Apr 2015, Rainer Krienke wrote: > The ACL file /var/lib/kerberos/krb5kdc/kadm5.acl on the server looks > like this: > # > admin/admin * > kadmin/admin* > kadmin/ad...@myrealm.de * > john/admin* > john/ad...@myrealm.de* Did you restart kadmind after changing the kadm5

Re: kadmin remote as a regular user

2015-04-01 Thread Rainer Krienke
Am 31.03.2015 um 16:15 schrieb Greg Hudson: > On 03/31/2015 07:56 AM, Rainer Krienke wrote: >> I would like to achieve the following. A particular user say "john" logs >> in at a linux system or authenticates in apache against kerberos. >> Now I would like to allow this user "john" to run kadmin co

Re: kadmin remote as a regular user

2015-03-31 Thread Greg Hudson
On 03/31/2015 07:56 AM, Rainer Krienke wrote: > I would like to achieve the following. A particular user say "john" logs > in at a linux system or authenticates in apache against kerberos. > Now I would like to allow this user "john" to run kadmin commands > without entering any additional other pa

Re: kadmin remote as a regular user

2015-03-31 Thread Rainer Krienke
Hello Andrew, well might be that kinit might be part of the solution of my problem. The background is simply that I have a database as part of a identy management system holding all data of all users and hosts etc. So this database holds all vital data needed to create and manage windows/linux us

Re: kadmin remote as a regular user

2015-03-31 Thread Andrew Holway
Hi Rainer, Are you perhaps looking for kinit? Thanks, Andrew On 31 March 2015 at 13:56, Rainer Krienke wrote: > Hello, > > I would like to achieve the following. A particular user say "john" logs > in at a linux system or authenticates in apache against kerberos. > Now I would like to allow t