How to disallow users?
Austin Gonyou
austin at coremetrics.com
Fri Mar 8 19:10:01 EST 2002
I've got everything working, and my test users can indeed login and be
authenticated by the kerberos server. The problem I'm facing now is that
a client who's principal is something like someone/admin at HOST.DOMAIN.COM
is able to login, but I get a message like this:
login: Client not found in Kerberos database while getting initial
credentials
I've read several FAQ's and install docs for kerberos, but I didn't see
anything exactly like this covered. (BTW, test application is telnet)
What I'd expect to happen is that I should be able to deny this user to
login since they're not using username 'admin', but rather 'someone'.
A user with only a single principle not of user/admin(etc), so just
joe at HOST.DOMAIN.COM can login with no errors and he gets a new ticket,
etc.
A user who's sole principal is user/admin at HOST.DOMAIN.COM is err'd,
since user at HOST.DOMAIN.COM doesn't exist.
Questions:
1. Should I be adding user at HOST.DOMAIN.COM *first*, then add another
principal that allows them admin rights?(as in
user/admin at HOST.DOMAIN.COM)?
2. If I wish to *lock* someone's kerberos account, to ensure they can
not login to a kerberos authenticating workstation, or prevent those
with NO kerberos principal from logging in, what's a good pointer for
this?
Thanks much. So far, my kerberos experience and understanding has been
far better than previous experiments.
TIA.
--
Austin Gonyou
Systems Architect, CCNA
Coremetrics, Inc.
Phone: 512-698-7250
email: austin at coremetrics.com
"It is the part of a good shepherd to shear his flock, not to skin it."
Latin Proverb
More information about the krbdev
mailing list