User instances

Fredrik Tolf fredrik at
Wed Oct 27 13:54:45 EDT 2004

On Fri, 2004-10-22 at 00:01 +0000, Rachel Elizabeth Dillon wrote:
> There are a couple of things that I havs seen as common across multiple
> realms; username/admin principals tend to be principals with full 
> administrative rights in kadmin, and username/root principals tend to
> be principals with additional privileges you want the user to have to
> remember to turn on specifically. I personally find that any other
> instances tend to be mostly confusing, as the average user does not
> want to have to deal with instances, but I am sure different people
> have different opinions of "not ugly." If you do want to do this, 
> you probably want to look at the man page for kadmind, specifically the
> ACL FILE SYNTAX section, in order to determine how to give your users
> the permissions you want them to have. It looks like a line like this:
> username/*@REALM.COM x username/*@REALM.COM

Is there no way to just add one single general rule to cover all users,
analogous to filename matching in Makefiles? That is, something like

%/admin at REALM.COM x %/*@REALM.COM

Where, as in make, `%' would have to match the same thing in both

It's not that it would be a problem to add every user manually, but I
guess it would be better if I didn't have yet another step to take when
I want to add a user.

> will give users full permissions on any principals with their username,
> but I recommend not just using this line for a couple of reasons:
> [snip]
>  * If you want to manage things like password expiry, users can circumvent
>    you at the KDC level.

Is there no way to force a certain policy onto principals?

> I personally think this is a bad idea, but not knowing anything about
> your situation, that judgment seems arbitrary. "What are you really
> trying to do?" :)

It's mainly that I want users to be able to create principals for
automatic usage, like username/cron or username/gdm-autologin or the
like (you know, create a principal with -randkey and storing it in a
keytab for program that need to setuid without password). I'm going to
be switching to NFSv4 in a while, and it would be a pity if people
couldn't have cron jobs anymore just because they wouldn't have access
to their own home directories...

It's really just a home network, not a production site or anything, but
we use Kerberos extensively for SSO and I really just want to solve all
the problems I come across canonically, or I'd think bad of myself. :-)
For example, my sisters like to have gdm log them in automatically (so
that they don't have to type their passwords), and thus I need some
extra principals to do that job. Likewise with cron.

Thanks for replying!

Fredrik Tolf

More information about the Kerberos mailing list