kadmin remote as a regular user

Rainer Krienke krienke at uni-koblenz.de
Wed Apr 1 08:03:41 EDT 2015 

Am 31.03.2015 um 16:15 schrieb Greg Hudson:
> On 03/31/2015 07:56 AM, Rainer Krienke wrote:
>> I would like to achieve the following. A particular user say "john" logs
>> in at a linux system or authenticates in apache against kerberos.
>> Now I would like to allow this user "john" to run kadmin commands
>> without entering any additional other password.
> 
> You are running into two semi-configured, semi-conventional behaviors:
> 
> 1. By default, kadmin assumes you want to authenticate as username/admin.
> 
> 2. By default, the KDC doesn't accept TGS requests for the kadmin
> service; you have to get an initial ticket directory for the service.
> Because of this, the kadmin client doesn't even try to make a TGS
> request; it either makes an AS request or uses existing tickets.
> 
> My recommendation is that you don't fight these defaults, but use kinit
> -S and kadmin -c to avoid having to enter a password for every operation:
> 
>     kinit -S kadmin/admin -c /path/to/admin/ccache john/admin
>     kadmin -c /path/to/admin/ccache

Hello Greg,

thank you very much for you explanation. However I first wondered why
the credential cache above was named "admin" I guess its not a typo but
I still do not understand why the credentials of admin/admin are needed
and no other user like john/admin is allowed here?

I added a principal john/admin at MYREALM.DE to kerberos. Then on the
client I run kinit:

$ kinit -S kadmin/admin john/admin
< johns password>

Then I run kadmin on the client system and do not have to enter any
password. Say john has uid 1234:

$ kadmin -c /tmp/krb5cc_1234
kadmin: getprivs
current privileges: GET ADD MODIFY DELETE
kadmin: getprinc nfs/linux.uni-koblenz.de
get_principal: Operation requires ``get'' privilege while retrieving
"nfs/linux.uni-koblenz.de

The ACL file /var/lib/kerberos/krb5kdc/kadm5.acl on the server looks
like this:
#
admin/admin     *
kadmin/admin    *
kadmin/admin at MYREALM.DE     *
john/admin	*
john/admin at MYREALM.DE    *

So getprivs says everything is ok, the ACL is set, authentication for
john/admin works  but I actually cannot get any principal or list
principals. The logfile from kerberos tells me:

"Unauthorized request: kadm5_get_principal nfs/linux.uni
-koblenz.de at MYREALM.de, client=john/admin at MYREALM.DE, service=kadmin/ad
min at MYREALM.DE"

However if I run kinit -S kadmin/admin admin/admin
 (so actually using principal admin/admin instead of john/admin) things
work just fine  in eg kadmin: getprincs. Is the principal  admin/admin
in some way hardcoded in kadmin?

Seems I still do not understand the way kerberos works. Can anyone help?

Thanks
Rainer
-- 
Rainer Krienke, Uni Koblenz, Rechenzentrum, A22, Universitaetsstrasse  1
56070 Koblenz, http://userpages.uni-koblenz.de/~krienke, Tel: +49261287 1312
PGP: http://userpages.uni-koblenz.de/~krienke/mypgp.html,Fax: +49261287
1001312

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5065 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20150401/0b2f1695/attachment.bin

More information about the Kerberos mailing list