kadmin remote as a regular user

Todd Grayson tgrayson at cloudera.com
Wed Apr 1 22:27:29 EDT 2015


http://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/kadm5_acl.html

On Wed, Apr 1, 2015 at 8:27 PM, Todd Grayson <tgrayson at cloudera.com> wrote:

> Rainer,
>
> Consider that you do not want obfuscate keeping track of users modifying
> the KDC database through generic service accounts like admin/admin.  As the
> later discussion in this thread positions; using the kadm5.acl file to name
> users (they dont have to be named with a */admin convention, if you need
> specific users to have access with their normal account... but you might
> want to consider doing it anyway, so they have to actually enable their
> admin access before attempting to modify the KDC.
>
> The kadm5.acl file also supports defining users limits to who and what can
> be modified...
>
>
> On Tue, Mar 31, 2015 at 5:56 AM, Rainer Krienke <krienke at uni-koblenz.de>
> wrote:
>
>> Hello,
>>
>> I would like to achieve the following. A particular user say "john" logs
>> in at a linux system or authenticates in apache against kerberos.
>> Now I would like to allow this user "john" to run kadmin commands
>> without entering any additional other password.
>>
>> I first thought that kadmin is like a service and exported the principal
>> admin/admin to a keytab file which I copied to a remote system. On this
>> system I was then able to call
>>
>> $ kadmin -k -t /etc/krb5.keytab -p admin/admin
>> Authenticating as principal admin/admin with keytab /etc/krb5.keytab.
>> kadmin: getprincs
>> ...
>>
>> However this does not work the way I expected. Now I can even destroy
>> the user ticket of john with kdestroy -c /tmp/krb5cc_1234 that john got
>> when logging into the system and kadmin still works.
>>
>> What I wanted is that kadmin only works when a particular user has
>> logged in and has authenticated against kerberos. Now any user that
>> could log in into the system would be able to run kadmin if he has acces
>> to the keytab file.
>>
>> So after all what I want is kerberos based single sign on for kadmin
>> usage.
>>
>> Any idea how to configure this?
>>
>> Thanks
>> Rainer
>> --
>> Rainer Krienke, Uni Koblenz, Rechenzentrum, A22, Universitaetsstrasse  1
>> 56070 Koblenz, http://userpages.uni-koblenz.de/~krienke, Tel: +49261287
>> 1312
>> PGP: http://userpages.uni-koblenz.de/~krienke/mypgp.html,Fax: +49261287
>> 1001312
>>
>>
>> ________________________________________________
>> Kerberos mailing list           Kerberos at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>>
>
>
> --
> Todd Grayson
> Customer Operations Engineering
>
>


-- 
Todd Grayson
Customer Operations Engineering


More information about the Kerberos mailing list