If I got it right, we set up the following administration users in Debian Edu/Squeeze with the password specified for root during the installation:
root localadmin admin super-admin Did I miss any? I am aware of the samba admin user (smbadmin), but believe it have a generated random password. * The root user is the normal uid=0 user in /etc/passwd. * The localadmin is a uid!=0 user in /etc/password with full sudo access, which I believe was created to avoid having to grant root login access in kdm and provide an initial user to use when creating LDAP users. * The admin user is in LDAP with privileges to update LDAP objects. This was the original LDAP admin user with lwat. It is invisible in GOsa, but still used by some command line scripts. This user can not be used with Kerberos. * The super-admin user is in LDAP and can be used to log into GOsa to administrate LDAP and GOsa. This user can not be used with Kerberos. I suspect these many administrative users will confuser the local administrator. It will also cause problems when the local administrator want to change passwords, as the password have to be changed two times on each machine and two times in LDAP, and only the super-admin password can be changed from within GOsa. I believe we would be better of by reducing the number of administrative users. I propose we drop the localadmin user, and instead set up a LDAP user for the same purpose. I propose we drop the current admin user, and rename the super-admin GOsa user to admin. We should also try to make this user authenticate using Kerberos. This way we end up with a user with 8 characters or less in the name (avoids problems with top, w and other command line tools), we get a user that can have its password changed in GOsa, and provide a non-root user that can be used for the initial login to create more LDAP users. We also reduce the password change required to one on each machine and one in LDAP. And the admins used with our Lenny version will still be able to use the 'admin' user for the LDAP administration. In addition, the initial user will have a Kerberos ticket we can use in the future to log into Gosa, Nagios, CUPS, etc and get single sign on for these web services. :) Did I misunderstand the purpose of some of these users? Anyone see a problem with this new proposal? I am aware that this will require changes to the documentation, but believe the resulting documentation will be easier to write and easier to understand, as the local administrator only need to cope with two administrative users. There will be one local (root), and one in LDAP (admin). -- Happy hacking Petter Reinholdtsen -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
