[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: user mapping
> Now, I figured I couldn't use something like:
> user@REALM.COM all
> in my kadmind.acl,
I think it should be possible to give the principal user@REALM.COM these
permissions, even if it normally is not done that way. There might be
hidden a bug here. You may want to test
which should be the same thing as user@REALM.COM, but I don't know what
the parser expects when reading kadmind.acl. There should be a logfile
on the KDC that tells you which user was rejected and why.
(principal "user", instance "", realm "REALM.COM")
> but I had to use:
> user/admin@REALM.COM all
When you use kadmin as user in REALM.COM, kadmin automatically assumes
that you want to use kadmin as user/admin@REALM.COM.
> So, I created a second user called user/admin and I can now use kadmin with no
That is the way it is normally done :-)
> Indeed, I need to give some different access for admin to some people in my
> company, and I would prefer not to use 2 accounts (user1+user1/admin,
You should be able to configure kerberos so that the power users can
do everything with their normal logins, but I think this is a less
secure setup because this has the effect that you have the powerful
kerberos tickets with admin right laying around all the time. But the
choice is yours.
> I hope it is understandable, English is not my first language.
It is! (No problem, mine neither ;-)
- user mapping
- From: Antoine Jacoutot <email@example.com>