KADMIN AND DELEGATED ADMINISTRATION

Michael Marziani mdmarziani at yahoo.com
Wed Jun 29 18:40:39 EDT 2005


Read the man page for kadm5.acl.  This file controls access and delegation for
the kerberos database.  I'm pretty sure it can do most if not all of what you
want.

-Michael


--- hairydamon at hotmail.com wrote:

> Hi
> 
> I'm new to Kerberos so forgive the question...this is about the use of
> kadmin access controls and delegated administration.
> 
> The scenario is a helpdesk who can carry out limited administration
> within a kerberos Realm. For example: they can reset the kerberos
> passwords for regular users rather than, say, system administrators and
> support staff. Possibly they might be allowed to create new principals
> for regular users - as part of a delegated administration system.
> 
> Is there a way of doing this without setting up multiple realms for
> each group of principals (users) that you wish to control
> administrative access for (from the point of view of deleting and
> creating principals and resetting their passwords). At the moment it
> seems to be an all or nothing approach.
> 
> >From what I can find the Kerberos Realm is just a large flat data space
> - through kadmin (and it's conf file) all you can do is say a
> particular principal can carry out <action> on the entire realm, and
> that's it. However, I've also read that multiple realms is horrible - a
> nightmare of inter-realm trusts that should be avoided if possible. It
> also just doesn't feel right.
> 
> Any advice gratefully received
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 



More information about the Kerberos mailing list