[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: user mapping

To: Antoine Jacoutot <ajacoutot@dioranews.com>
Subject: Re: user mapping
From: joda@pdc.kth.se (Johan Danielsson)
Date: Wed, 17 Dec 2003 13:23:16 +0100
Cc: heimdal-discuss@sics.se
In-Reply-To: <200312161846.51540.ajacoutot@dioranews.com> (AntoineJacoutot's message of "Tue, 16 Dec 2003 18:46:51 +0100")
References: <200312161846.51540.ajacoutot@dioranews.com>
Sender: owner-heimdal-discuss@sics.se
User-Agent: Gnus/5.1002 (Gnus v5.10.2) Emacs/20.7 (berkeley-unix)

Antoine Jacoutot <ajacoutot@dioranews.com> writes:

> Now, is there a way to make user and user/admin the same user?

Technically these are different instances of the same user, but I
understand what you mean. No, you can't make them the same, but you
can authenticate to the kadmin server with your regular principal, you
just have to use kadmin -p user@REALM.

One reason to use a separate admin account, is that you can enforce
more strict controls on them, like password length, max ticket life,
etc. I would advise against using just one shared admin account, as
this would make tracing impossible. Also if the password is
compromised, or if people quit, you will have to tell everyone the new
password, which if nothing else takes a lot of time.

>> You may want to test
>>
>> user/@REALM.COM all
>>
>> which should be the same thing as user@REALM.COM

No, these are not the same.

/Johan

Follow-Ups:
- Re: user mapping
  - From: Antoine Jacoutot <ajacoutot@dioranews.com>

References:
- user mapping
  - From: Antoine Jacoutot <ajacoutot@dioranews.com>

Prev by Date: krb5_kt_add_entry: failed to add entry to (null)
Next by Date: Re: user mapping
Prev by thread: Re: user mapping
Next by thread: Re: user mapping
Index(es):
- Date
- Thread