Re: user mapping

[Harald Barth <haba@pdc.kth.se>]

> Now, I figured I couldn't use something like:
> user@REALM.COM all
> in my kadmind.acl, 

I think it should be possible to give the principal user@REALM.COM these
permissions, even if it normally is not done that way. There might be
hidden a bug here. You may want to test

user/@REALM.COM all

which should be the same thing as user@REALM.COM, but I don't know what
the parser expects when reading kadmind.acl. There should be a logfile
on the KDC that tells you which user was rejected and why.

(principal "user", instance "", realm "REALM.COM")

> but I had to use:
> user/admin@REALM.COM all

When you use kadmin as user in REALM.COM, kadmin automatically assumes
that you want to use kadmin as user/admin@REALM.COM.

> So, I created a second user called user/admin and I can now use kadmin with no 
> problem.

That is the way it is normally done :-)

> Indeed, I need to give some different access for admin to some people in my 
> company, and I would prefer not to use 2 accounts (user1+user1/admin, 
> user2+user2/admin...).

You should be able to configure kerberos so that the power users can
do everything with their normal logins, but I think this is a less
secure setup because this has the effect that you have the powerful
kerberos tickets with admin right laying around all the time. But the
choice is yours. 

> I hope it is understandable, English is not my first language.

It is! (No problem, mine neither ;-)

Harald.