KADMIN AND DELEGATED ADMINISTRATION
hairydamon@hotmail.com
hairydamon at hotmail.com
Wed Jun 29 08:37:33 EDT 2005
Hi
I'm new to Kerberos so forgive the question...this is about the use of
kadmin access controls and delegated administration.
The scenario is a helpdesk who can carry out limited administration
within a kerberos Realm. For example: they can reset the kerberos
passwords for regular users rather than, say, system administrators and
support staff. Possibly they might be allowed to create new principals
for regular users - as part of a delegated administration system.
Is there a way of doing this without setting up multiple realms for
each group of principals (users) that you wish to control
administrative access for (from the point of view of deleting and
creating principals and resetting their passwords). At the moment it
seems to be an all or nothing approach.
>From what I can find the Kerberos Realm is just a large flat data space
- through kadmin (and it's conf file) all you can do is say a
particular principal can carry out <action> on the entire realm, and
that's it. However, I've also read that multiple realms is horrible - a
nightmare of inter-realm trusts that should be avoided if possible. It
also just doesn't feel right.
Any advice gratefully received
More information about the Kerberos
mailing list