[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: special principals handling

On Feb 1, 2008, at 9:14 , Guillaume Rousse wrote:

> Second, our usual policy is to grant admins all authorisations with
> their standard accounts (through sudo, or ldap group ACLs, for
> instance), so as to avoid keeping trace of shared passwords. It seems
> the usual kerberos practice is to create additional principal with a
> 'admin' instance for admins, but this constitute two different  
> accounts.
> Is there any way to automatically sync 'foo@REALM' with
> 'foo/admin@REALM' for this purpose ? Or is it really a bad practice to
> grant all powers to 'foo@REALM' ?

Minimal privilege is a very good idea in general, to help avoid  
mistakes and to make it easier to test things (if your normal account  
has full privileges, you have to use someone else's account to test  
and debug privilege/permission-related issues).  This is also why  
it's a bad idea to do everything on Unix as root or on Windows as  
Administrator, etc.

brandon s. allbery [solaris,freebsd,perl,pugs,haskell] allbery@kf8nh.com
system administrator [openafs,heimdal,too many hats] allbery@ece.cmu.edu
electrical and computer engineering, carnegie mellon university    KF8NH