[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: user mapping

Antoine Jacoutot <ajacoutot@dioranews.com> writes:

> Now, is there a way to make user and user/admin the same user?

Technically these are different instances of the same user, but I
understand what you mean. No, you can't make them the same, but you
can authenticate to the kadmin server with your regular principal, you
just have to use kadmin -p user@REALM.

One reason to use a separate admin account, is that you can enforce
more strict controls on them, like password length, max ticket life,
etc. I would advise against using just one shared admin account, as
this would make tracing impossible. Also if the password is
compromised, or if people quit, you will have to tell everyone the new
password, which if nothing else takes a lot of time.

>> You may want to test
>> user/@REALM.COM all
>> which should be the same thing as user@REALM.COM

No, these are not the same.