kadmin remote as a regular user

Todd Grayson tgrayson at cloudera.com
Wed Apr 1 22:27:12 EDT 2015


Rainer,

Consider that you do not want obfuscate keeping track of users modifying
the KDC database through generic service accounts like admin/admin.  As the
later discussion in this thread positions; using the kadm5.acl file to name
users (they dont have to be named with a */admin convention, if you need
specific users to have access with their normal account... but you might
want to consider doing it anyway, so they have to actually enable their
admin access before attempting to modify the KDC.

The kadm5.acl file also supports defining users limits to who and what can
be modified...


On Tue, Mar 31, 2015 at 5:56 AM, Rainer Krienke <krienke at uni-koblenz.de>
wrote:

> Hello,
>
> I would like to achieve the following. A particular user say "john" logs
> in at a linux system or authenticates in apache against kerberos.
> Now I would like to allow this user "john" to run kadmin commands
> without entering any additional other password.
>
> I first thought that kadmin is like a service and exported the principal
> admin/admin to a keytab file which I copied to a remote system. On this
> system I was then able to call
>
> $ kadmin -k -t /etc/krb5.keytab -p admin/admin
> Authenticating as principal admin/admin with keytab /etc/krb5.keytab.
> kadmin: getprincs
> ...
>
> However this does not work the way I expected. Now I can even destroy
> the user ticket of john with kdestroy -c /tmp/krb5cc_1234 that john got
> when logging into the system and kadmin still works.
>
> What I wanted is that kadmin only works when a particular user has
> logged in and has authenticated against kerberos. Now any user that
> could log in into the system would be able to run kadmin if he has acces
> to the keytab file.
>
> So after all what I want is kerberos based single sign on for kadmin usage.
>
> Any idea how to configure this?
>
> Thanks
> Rainer
> --
> Rainer Krienke, Uni Koblenz, Rechenzentrum, A22, Universitaetsstrasse  1
> 56070 Koblenz, http://userpages.uni-koblenz.de/~krienke, Tel: +49261287
> 1312
> PGP: http://userpages.uni-koblenz.de/~krienke/mypgp.html,Fax: +49261287
> 1001312
>
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>


-- 
Todd Grayson
Customer Operations Engineering


More information about the Kerberos mailing list