KADMIN AND DELEGATED ADMINISTRATION

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

KADMIN AND DELEGATED ADMINISTRATION

hairydamon
Hi

I'm new to Kerberos so forgive the question...this is about the use of
kadmin access controls and delegated administration.

The scenario is a helpdesk who can carry out limited administration
within a kerberos Realm. For example: they can reset the kerberos
passwords for regular users rather than, say, system administrators and
support staff. Possibly they might be allowed to create new principals
for regular users - as part of a delegated administration system.

Is there a way of doing this without setting up multiple realms for
each group of principals (users) that you wish to control
administrative access for (from the point of view of deleting and
creating principals and resetting their passwords). At the moment it
seems to be an all or nothing approach.

>From what I can find the Kerberos Realm is just a large flat data space
- through kadmin (and it's conf file) all you can do is say a
particular principal can carry out <action> on the entire realm, and
that's it. However, I've also read that multiple realms is horrible - a
nightmare of inter-realm trusts that should be avoided if possible. It
also just doesn't feel right.

Any advice gratefully received

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: KADMIN AND DELEGATED ADMINISTRATION

Michael Marziani
Read the man page for kadm5.acl.  This file controls access and delegation for
the kerberos database.  I'm pretty sure it can do most if not all of what you
want.

-Michael


--- [hidden email] wrote:

> Hi
>
> I'm new to Kerberos so forgive the question...this is about the use of
> kadmin access controls and delegated administration.
>
> The scenario is a helpdesk who can carry out limited administration
> within a kerberos Realm. For example: they can reset the kerberos
> passwords for regular users rather than, say, system administrators and
> support staff. Possibly they might be allowed to create new principals
> for regular users - as part of a delegated administration system.
>
> Is there a way of doing this without setting up multiple realms for
> each group of principals (users) that you wish to control
> administrative access for (from the point of view of deleting and
> creating principals and resetting their passwords). At the moment it
> seems to be an all or nothing approach.
>
> >From what I can find the Kerberos Realm is just a large flat data space
> - through kadmin (and it's conf file) all you can do is say a
> particular principal can carry out <action> on the entire realm, and
> that's it. However, I've also read that multiple realms is horrible - a
> nightmare of inter-realm trusts that should be avoided if possible. It
> also just doesn't feel right.
>
> Any advice gratefully received
>
> ________________________________________________
> Kerberos mailing list           [hidden email]
> https://mailman.mit.edu/mailman/listinfo/kerberos
>

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos