kadm5.acl rights for foreign principals
Marcio d'Avila Scheibler
marcio at cpd.ufsm.br
Tue Mar 12 14:56:32 EST 2002
> Are you sure it says that? As the author of the Kerberos FAQ, I can't
> find that (it does mention about ACLs, but doesn't specifically mention
> kadm5.acl).
Sorry... Since I got some success with foreign principals
in other servies (.k5login files) and I've read "ACL" I went
on a wrong inference.
>
> >Since we have a multi-realm KDC and in real life the same
> >people will manage those realms, I'd like to give permissions
> >to the same principal and if possible I wouldn't like
> >create user/admin at REALM1, user/admin at REALM2. I just want to
> >insert a entry for user/admin at REALM1 in kadm5.acl file
> >for each domain.
>
> Unfortunately ... because kadmin/admin is set to only allow AS_REQ based
> requests (which you don't want to change, trust me) and there's no way
> to do cross-realm without a TGS-based request, then you're stuck. You can't
> do what you want.
Well, that's really a pity...
We're starting with kerberos and other services in order to
get some benefits (or at least try) from single sign-on concepts,
like a smaller number of passwords a user (admin or not) needs to
remember and keep in sync.
Thanks anyway...
------------------------------------------------------------------------------
Marcio d'Avila Scheibler - Divisao de Suporte (marcio at cpd.ufsm.br)
Centro de Processamento de Dados - Campus Universitario - CEP 97105-900
Universidade Federal de Santa Maria - RS - Brasil
=============================================================================
More information about the Kerberos
mailing list