Subject: Re: user mapping Date: Wed, Dec 17, 2003 at 08:48:32AM +0100 Quoting Antoine Jacoutot (firstname.lastname@example.org): > > That is the way it is normally done :-) > > Great, so I guess all I have to do is create some user like admin/admin and > give the username/password to the people who need it then. Uhm, no I do not think that would be a good idea. The idea with user accounts is that you want the actions and alterations traceable. In Kerbereos you can do that, even when the underlying Unix has a hard time doing it. So, if you have three admins, Antoine, Pierre, Jeanette, you should give them three accounts each: antoine@REALM antoine/root@REALM antoine/admin@REALM pierre@REALM pierre/root@REALM pierre/admin@REALM jeanette@REALM jeanette/root@REALM jeanette/admin@REALM This way, you have maximum separation and maximum acountablilty, without sacrificing any privileges. Then of course, in /var/heimdal/kadmind.acl on the KDC, you should set up privileges like so: # Pierre can alter passwords only. pierre/admin@REALM cpw,list # Antoine can do anything: antoine/admin@REALM add,cpw,delete,get,list,modify # Jeanette too: jeanette/admin@REALM add,cpw,delete,get,list,modify HTH, -- Måns Nilsson Systems Specialist +46 70 681 7204 KTHNOC MN1334-RIPE I am covered with pure vegetable oil and I am writing a best seller! PS: I really should send patches to PDC for all those holes in the docs. We all should, I think.