How to disallow users?
Derek Atkins
derek at ihtfp.com
Fri Mar 8 23:28:00 EST 2002
Austin Gonyou <austin at coremetrics.com> writes:
> A user who's sole principal is user/admin at HOST.DOMAIN.COM is err'd,
> since user at HOST.DOMAIN.COM doesn't exist.
Right.
> Questions:
> 1. Should I be adding user at HOST.DOMAIN.COM *first*, then add another
> principal that allows them admin rights?(as in
> user/admin at HOST.DOMAIN.COM)?
Yes. A normal user is _always_ user at REALM. A user/<role>@REALM is
_always_ a secondary ticket. This secondary ticket it used by kadmin
(user/admin) or ksu (user/root).
> 2. If I wish to *lock* someone's kerberos account, to ensure they can
> not login to a kerberos authenticating workstation, or prevent those
> with NO kerberos principal from logging in, what's a good pointer for
> this?
Um, if they have no kerberos principal, what password are they giving
that allows them to login? If you want to require someone to user
kerberos, make sure they do not have an actual password entry in
/etc/passwd (or NIS, Hesiod, LDAP, etc). They need to have the pwent
information (username, uid, shell, homedir), but the password field
should be set to *NP*.
> Thanks much. So far, my kerberos experience and understanding has been
> far better than previous experiments.
You're welcome.
-derek
> TIA.
> --
> Austin Gonyou
> Systems Architect, CCNA
> Coremetrics, Inc.
> Phone: 512-698-7250
> email: austin at coremetrics.com
--
Derek Atkins
Computer and Internet Security Consultant
derek at ihtfp.com www.ihtfp.com
More information about the krbdev
mailing list