kadmin remote as a regular user

Rainer Krienke krienke at uni-koblenz.de
Tue Mar 31 07:56:52 EDT 2015


Hello,

I would like to achieve the following. A particular user say "john" logs
in at a linux system or authenticates in apache against kerberos.
Now I would like to allow this user "john" to run kadmin commands
without entering any additional other password.

I first thought that kadmin is like a service and exported the principal
admin/admin to a keytab file which I copied to a remote system. On this
system I was then able to call

$ kadmin -k -t /etc/krb5.keytab -p admin/admin
Authenticating as principal admin/admin with keytab /etc/krb5.keytab.
kadmin: getprincs
...

However this does not work the way I expected. Now I can even destroy
the user ticket of john with kdestroy -c /tmp/krb5cc_1234 that john got
when logging into the system and kadmin still works.

What I wanted is that kadmin only works when a particular user has
logged in and has authenticated against kerberos. Now any user that
could log in into the system would be able to run kadmin if he has acces
to the keytab file.

So after all what I want is kerberos based single sign on for kadmin usage.

Any idea how to configure this?

Thanks
Rainer
-- 
Rainer Krienke, Uni Koblenz, Rechenzentrum, A22, Universitaetsstrasse  1
56070 Koblenz, http://userpages.uni-koblenz.de/~krienke, Tel: +49261287 1312
PGP: http://userpages.uni-koblenz.de/~krienke/mypgp.html,Fax: +49261287
1001312

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5065 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20150331/bbe245e1/attachment.bin


More information about the Kerberos mailing list