kadmin remote as a regular user

Rainer Krienke krienke at uni-koblenz.de
Tue Mar 31 08:19:25 EDT 2015


Hello Andrew,

well might be that kinit might be part of the solution of my problem.

The background is simply that I have a database as part of a identy
management system holding all data of all users and hosts etc. So this
database holds all vital data needed to create and manage windows/linux
users and also to create and manage a linux host (like setting ip, mac,
hostname, yes/no for nfs access, ...).

Now I want to use kerberos mainly for NFS4 and thus I have to enter all
users and hosts that exist in this idm database to kerberos eg add
nfs/host principals and when a new user is created in the identity
management system kerberos needs a new user princiapl entry.  This is
not a one time process but happens all the time when eg a new user
account is needed and created in the idm system.

Therefore this should be possible in a secure way without further
interactive user intervention. So I thought I use kadmin to feed the
kerberos DB  and would like to ensure that only authenticated admin
users (that have authenticated agains kerberos and thus have a valid TGT
ticket) are permitted to run kadmin but then without the need to enter
another admin password that is usually requested when calling kadmin
remotely.

Hope things are a bit clearer now.

Thanks
Rainer

Am 31.03.2015 um 14:00 schrieb Andrew Holway:
> Hi Rainer,
> 
> Are you perhaps looking for kinit?
> 
> Thanks,
> 
> Andrew
> 
> On 31 March 2015 at 13:56, Rainer Krienke <krienke at uni-koblenz.de
> <mailto:krienke at uni-koblenz.de>> wrote:
> 
>     Hello,
> 
>     I would like to achieve the following. A particular user say "john" logs
>     in at a linux system or authenticates in apache against kerberos.
>     Now I would like to allow this user "john" to run kadmin commands
>     without entering any additional other password.
> 
>     I first thought that kadmin is like a service and exported the principal
>     admin/admin to a keytab file which I copied to a remote system. On this
>     system I was then able to call
> 
>     $ kadmin -k -t /etc/krb5.keytab -p admin/admin
>     Authenticating as principal admin/admin with keytab /etc/krb5.keytab.
>     kadmin: getprincs
>     ...



-- 
Rainer Krienke, Uni Koblenz, Rechenzentrum, A22, Universitaetsstrasse  1
56070 Koblenz, http://userpages.uni-koblenz.de/~krienke, Tel: +49261287 1312
PGP: http://userpages.uni-koblenz.de/~krienke/mypgp.html,Fax: +49261287
1001312

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5065 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20150331/d8e92ab3/attachment.bin


More information about the Kerberos mailing list