wallet acls per glob
Ross Smith
rjsm at umich.edu
Thu Oct 4 16:39:55 EDT 2012
Hi all,
I am working on setting up wallet in our environment and for the most part
have been please that it suits our needs well. First a bit of background
on our setup. We have two host keytabs per system to handle hosts changing
hostname without in person intervention. When the system is loaded
initially, we require a user to authenticate to generate and deploy a
machine keytab. The master keytab then has permissions to get the FQDN
keytab as necessary.
We would like to restrict certain acls to only reload certain hosts. I
have a local patch to allow ldap-group acls. An example of what I'd like
to setup is have members of the group foo-reloaders only be able to
autocreate acls for hosts with fqdn matching ^bar*.engin.umich.edu. Is
there an easy way to do this with wallet as is? or how much work would it
be to implement something like this?
Thanks,
Ross Smith <rjsm at umich.edu>
College of Engineering - CAEN - Unix and Linux Support
More information about the Kerberos
mailing list