Kerberos Ldap Integration

Paul Moore paul.moore at centrify.com
Tue Jun 10 11:19:19 EDT 2008


Root can steal peoples creds too, joe user's tgt is in a cache file that root can use. So root can be joe on the network

Sent from my GoodLink synchronized handheld (www.good.com)


 -----Original Message-----
From: 	Derek Harkness [mailto:dharknes at umd.umich.edu]
Sent:	Tuesday, June 10, 2008 07:57 AM Pacific Standard Time
To:	Rodrigo Castro
Cc:	Daniel Savard; kerberos at mit.edu
Subject:	Re: Kerberos Ldap Integration

The general answer is no. The more specific answer is mostly no.  
Anyone with root can su to any other account on the system, this  
include ldap provided accounts. But even root can't  obtain another  
user's kerberos creds without their password, key, or root access to  
the KDC. So as long as you services require kerberos then it doesn't  
matter is root can su to other user (well it does but it less  
damaging).  I would recommend not using NFS for network shares or  
NFSv4 with krb is you do. I would also require users to reenter their  
password to change anything in the ldap directory.

Since you can't prevent this it really better to just design around it.

Derek Harkness
University of Michigan-Dearborn
Data Security Analyst


On Jun 10, 2008, at 7:06, Rodrigo Castro <rdccosmo at gmail.com> wrote:

> I guess I haven't made myself clear. In my work environment we have  
> many
> labs. Some of them have root priveleges to administrate their own  
> lab. So
> with their root account they can become any ldapuser. This is  
> undesirable.
> Is there any kerberos/ldap configuration to disable this?
>
> On Tue, Jun 10, 2008 at 10:28 AM, Daniel Savard <daniel.savard at gmail.com 
> >
> wrote:
>
>> You cannot prevent root to su to any other local user.  This is why  
>> root is
>> called a superuser. This has nothing to do with Kerberos or LDAP,  
>> this is
>> an
>> OS issue. If the idea is to prevent access by the sysadmin to the  
>> ldapuser,
>> you should simply be the sysadmin yourself. If you don't trust your
>> sysadmin
>> I fear you have no other choice than being it.
>>
>> 2008/6/10 Rodrigo Castro <rdccosmo at gmail.com>:
>>
>>> Hi, I don't know if this is the right place to ask, but I've been
>> striving
>>> to prevent local root su ldapuser, although failed so far. I've  
>>> already
>>> configured kerberos to work with ldap following this page
>>> http://www.bayour.com/LDAPv3-HOWTO.html
>>> Any help is appreciated.
>>>
>>> On Thu, May 29, 2008 at 10:37 AM, gaurav bagga <gaurav.v.bagga at gmail.com
>>>
>>> wrote:
>>>
>>>> Hi Turbo,
>>>>
>>>> Thanks for the link...
>>>> I am able to link ldap and kerberos, I can add principals from  
>>>> kadmin
>> and
>>>> they get added in ldap.
>>>>
>>>> But one problem still remains.
>>>> I want to mix in Kerberos principal attributes to a directory  
>>>> entry of
>>> the
>>>> people objectclass which has usserPassword. I want this password  
>>>> to be
>>> used
>>>> by kdc.
>>>>
>>>> Is such a thing possible? I went through the schema and found that
>>>> 'krbUPEnabled' helps in achieving this but how can one set this
>>> attribute.
>>>>
>>>> I am fairly new to this kerberos and ldap stuff so excuse me if I  
>>>> ask
>>>> something thats silly.
>>>>
>>>> If someone has to automate the process of adding principals what  
>>>> are
>> the
>>>> possible solutions?
>>>> Using scripts?  Is that a good way ?
>>>>
>>>> Thanks and Regards,
>>>> Gaurav
>>>>
>>>> On Thu, May 29, 2008 at 1:45 AM, Turbo Fredriksson <turbo at bayour.com 
>>>> >
>>>> wrote:
>>>>
>>>>>>>>>> "gaurav" == gaurav bagga <gaurav.v.bagga at gmail.com> writes:
>>>>>
>>>>>   gaurav> Hi all, I am trying to integrate Kerberos and Ldap but  
>>>>> not
>>>>>   gaurav> happy with what I have achieved till now.I'll really
>>>>>   gaurav> appreciate if any one can help/guide by giving pointers
>>>>>   gaurav> towards *good articles *which give information regarding
>>>>>   gaurav> the steps to be performed in doing the same.
>>>>>
>>>>> Have a look at http://bayour.com/LDAPv3-HOWTO.html
>>>>>
>>>> ________________________________________________
>>>> Kerberos mailing list           Kerberos at mit.edu
>>>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>>>
>>>
>>>
>>>
>>> --
>>> __________________________________
>>> Rodrigo de Castro Cosme
>>> Ciência da Computação - Universidade Federal do Espírito Santo
>>> Suporte mailing list - suporte at inf.ufes.br
>>> MSN - rdccosmo at gmail.com
>>> ________________________________________________
>>> Kerberos mailing list           Kerberos at mit.edu
>>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>>
>>
>>
>>
>> --
>> -----------------
>> Daniel Savard
>> ________________________________________________
>> Kerberos mailing list           Kerberos at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>
>
>
> -- 
> __________________________________
> Rodrigo de Castro Cosme
> Ciência da Computação - Universidade Federal do Espírito Santo
> Suporte mailing list - suporte at inf.ufes.br
> MSN - rdccosmo at gmail.com
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

________________________________________________
Kerberos mailing list           Kerberos at mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos



More information about the Kerberos mailing list