KADMIN AND DELEGATED ADMINISTRATION - Kerberos

This is a discussion on KADMIN AND DELEGATED ADMINISTRATION - Kerberos ; Hi I'm new to Kerberos so forgive the question...this is about the use of kadmin access controls and delegated administration. The scenario is a helpdesk who can carry out limited administration within a kerberos Realm. For example: they can reset ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: KADMIN AND DELEGATED ADMINISTRATION

  1. KADMIN AND DELEGATED ADMINISTRATION

    Hi

    I'm new to Kerberos so forgive the question...this is about the use of
    kadmin access controls and delegated administration.

    The scenario is a helpdesk who can carry out limited administration
    within a kerberos Realm. For example: they can reset the kerberos
    passwords for regular users rather than, say, system administrators and
    support staff. Possibly they might be allowed to create new principals
    for regular users - as part of a delegated administration system.

    Is there a way of doing this without setting up multiple realms for
    each group of principals (users) that you wish to control
    administrative access for (from the point of view of deleting and
    creating principals and resetting their passwords). At the moment it
    seems to be an all or nothing approach.

    >From what I can find the Kerberos Realm is just a large flat data space

    - through kadmin (and it's conf file) all you can do is say a
    particular principal can carry out on the entire realm, and
    that's it. However, I've also read that multiple realms is horrible - a
    nightmare of inter-realm trusts that should be avoided if possible. It
    also just doesn't feel right.

    Any advice gratefully received


  2. Re: KADMIN AND DELEGATED ADMINISTRATION

    Read the man page for kadm5.acl. This file controls access and delegation for
    the kerberos database. I'm pretty sure it can do most if not all of what you
    want.

    -Michael


    --- hairydamon@hotmail.com wrote:

    > Hi
    >
    > I'm new to Kerberos so forgive the question...this is about the use of
    > kadmin access controls and delegated administration.
    >
    > The scenario is a helpdesk who can carry out limited administration
    > within a kerberos Realm. For example: they can reset the kerberos
    > passwords for regular users rather than, say, system administrators and
    > support staff. Possibly they might be allowed to create new principals
    > for regular users - as part of a delegated administration system.
    >
    > Is there a way of doing this without setting up multiple realms for
    > each group of principals (users) that you wish to control
    > administrative access for (from the point of view of deleting and
    > creating principals and resetting their passwords). At the moment it
    > seems to be an all or nothing approach.
    >
    > >From what I can find the Kerberos Realm is just a large flat data space

    > - through kadmin (and it's conf file) all you can do is say a
    > particular principal can carry out on the entire realm, and
    > that's it. However, I've also read that multiple realms is horrible - a
    > nightmare of inter-realm trusts that should be avoided if possible. It
    > also just doesn't feel right.
    >
    > Any advice gratefully received
    >
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >


    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


+ Reply to Thread