[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: special principals handling

To: heimdal-discuss@sics.se
Subject: Re: special principals handling
From: Thomas Kula <kula@tproa.net>
Date: Fri, 1 Feb 2008 09:30:46 -0500
In-Reply-To: <47A32961.2080204@inria.fr>
List-Archive: <http://list.sics.se/sympa/arc/heimdal-discuss>
List-Help: <mailto:sympa@sics.se?subject=help>
List-Id: <heimdal-discuss.sics.se>
List-Owner: <mailto:heimdal-discuss-request@sics.se>
List-Post: <mailto:heimdal-discuss@sics.se>
List-Subscribe: <mailto:sympa@sics.se?subject=subscribe%20heimdal-discuss>
List-Unsubscribe: <mailto:sympa@sics.se?subject=unsubscribe%20heimdal-discuss>
Mail-Followup-To: heimdal-discuss@sics.se
References: <47A32961.2080204@inria.fr>
Reply-To: heimdal-discuss@sics.se, Thomas Kula <kula@tproa.net>
User-Agent: Mutt/1.5.13 (2006-08-11)

On Fri, Feb 01, 2008 at 03:14:57PM +0100, Guillaume Rousse wrote:
> 
> Second, our usual policy is to grant admins all authorisations with
> their standard accounts (through sudo, or ldap group ACLs, for
> instance), so as to avoid keeping trace of shared passwords. It seems
> the usual kerberos practice is to create additional principal with a
> 'admin' instance for admins, but this constitute two different accounts.
> Is there any way to automatically sync 'foo@REALM' with
> 'foo/admin@REALM' for this purpose ? Or is it really a bad practice to
> grant all powers to 'foo@REALM' ?

You don't need to sync anything --- you can give kerberos
administrative rights to any principal. Just put the principal
in your kadmind.acl file, e.g. put "foo@REALM" in that file,
and now foo@REALM has whatever powers you've granted it in
the acl file. 

That said, I much prefer to create and grant administrative
powers to administrative instances for every service that
allows me to do so. Translation: I think it is really a bad
practice to grant all powers to 'foo@REALM'. My normal account
doesn't really have much power, but when I need to do
something more powerful (and potentially more dangerous) I get
admin credentials, do it, and get rid of those credentials. 
It minimizes the amount of time in which I can really screw
things up. 

-- 
Thomas L. Kula | kula@tproa.net | http://kula.tproa.net/
Mathom House at Ypsi-Edge, The People's Republic of Ames

References:
- special principals handling
  - From: Guillaume Rousse <Guillaume.Rousse@inria.fr>

Prev by Date: special principals handling
Next by Date: Re: special principals handling
Prev by thread: special principals handling
Next by thread: Re: special principals handling
Index(es):
- Date
- Thread