Re: user mapping

[Mans Nilsson <mansaxel@sunet.se>]

Subject: Re: user mapping Date: Wed, Dec 17, 2003 at 08:48:32AM +0100 Quoting Antoine Jacoutot (ajacoutot@dioranews.com):
> > That is the way it is normally done :-)
> 
> Great, so I guess all I have to do is create some user like admin/admin and 
> give the username/password to the people who need it then.

Uhm, no I do not think that would be a good idea. 

The idea with user accounts is that you want the actions and
alterations traceable. In Kerbereos you can do that, even when the
underlying Unix has a hard time doing it.

So, if you have three admins, Antoine, Pierre, Jeanette, you should
give them three accounts each:

antoine@REALM
antoine/root@REALM
antoine/admin@REALM

pierre@REALM
pierre/root@REALM
pierre/admin@REALM

jeanette@REALM
jeanette/root@REALM
jeanette/admin@REALM

This way, you have  maximum separation and maximum acountablilty, 
without sacrificing any privileges. 

Then of course, in /var/heimdal/kadmind.acl on the KDC, you should
set up privileges like so:

# Pierre can alter passwords only. 
pierre/admin@REALM cpw,list
# Antoine can do anything: 
antoine/admin@REALM add,cpw,delete,get,list,modify
# Jeanette too:
jeanette/admin@REALM add,cpw,delete,get,list,modify

HTH, 
-- 
Måns Nilsson         Systems Specialist
+46 70 681 7204         KTHNOC
                        MN1334-RIPE

I am covered with pure vegetable oil and I am writing a best seller!

PS: I really should send patches to PDC for all those holes in the docs. 
    We all should, I think.

PGP signature