[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
special principals handling
Hello.
Those are not a specific heimdal question, rather generic kerberos
questions, but I'd like some input about how to handle some special user
principals.
First, I'd need to have a test principal, so as to test autentication
via nagios. I think the fact that there is no corresponding posix
account defined in LDAP will prevent it from being used for anything
else (we only use kerberos for securing NFS currently), but I wonder if
there is a way to restrict it as most as possible from kerberos side
additionaly.
Second, our usual policy is to grant admins all authorisations with
their standard accounts (through sudo, or ldap group ACLs, for
instance), so as to avoid keeping trace of shared passwords. It seems
the usual kerberos practice is to create additional principal with a
'admin' instance for admins, but this constitute two different accounts.
Is there any way to automatically sync 'foo@REALM' with
'foo/admin@REALM' for this purpose ? Or is it really a bad practice to
grant all powers to 'foo@REALM' ?
--
Guillaume Rousse
Moyens Informatiques - INRIA Futurs
Tel: 01 69 35 69 62