[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: special principals handling

On Fri, Feb 01, 2008 at 03:14:57PM +0100, Guillaume Rousse wrote:
> Second, our usual policy is to grant admins all authorisations with
> their standard accounts (through sudo, or ldap group ACLs, for
> instance), so as to avoid keeping trace of shared passwords. It seems
> the usual kerberos practice is to create additional principal with a
> 'admin' instance for admins, but this constitute two different accounts.
> Is there any way to automatically sync 'foo@REALM' with
> 'foo/admin@REALM' for this purpose ? Or is it really a bad practice to
> grant all powers to 'foo@REALM' ?

You don't need to sync anything --- you can give kerberos
administrative rights to any principal. Just put the principal
in your kadmind.acl file, e.g. put "foo@REALM" in that file,
and now foo@REALM has whatever powers you've granted it in
the acl file. 

That said, I much prefer to create and grant administrative
powers to administrative instances for every service that
allows me to do so. Translation: I think it is really a bad
practice to grant all powers to 'foo@REALM'. My normal account
doesn't really have much power, but when I need to do
something more powerful (and potentially more dangerous) I get
admin credentials, do it, and get rid of those credentials. 
It minimizes the amount of time in which I can really screw
things up. 

Thomas L. Kula | kula@tproa.net | http://kula.tproa.net/
Mathom House at Ypsi-Edge, The People's Republic of Ames