Davor Ocelic <[EMAIL PROTECTED]> wrote: > On Sun, 07 Jan 2007 09:43:35 -0500 [EMAIL PROTECTED] wrote: >> When I created a user inside of kadmin for Debian-bind, I got the >> following error. Is this a cause for concern? >> >> WARNING: no policy specified for [EMAIL PROTECTED]; defaulting >> to no policy > > No, it's all good.
Kerberos Policies are for setting things like password expiration and complexity requirements on a large number of pricipals at once. I'd suggest creating policies for normal users, "/admin" users, daemons and host keytabs. Differences being you'd likely want non-expiring keytab and daemon user principals, maybe 10 hour / 7 day renew for normal users, and maybe no renewal on /admin creds. You should also be sure that you are not putting AES enc_types into host keytabs. That causes problems with compatibility with certain programs / libs. (Stick with des3-hmac-sha1:normal and rc4-hmac:normal for now.) And ideally DES shouldn't be used at all, except for the AFS service principal. I'd also highly recomend turning on pre-auth to make it harder to grab arbitrary principals and attempting to crack them off-line. <<CDC -- Christopher D. Clausen _______________________________________________ HCoop-SysAdmin mailing list [email protected] http://hcoop.net/cgi-bin/mailman/listinfo/hcoop-sysadmin
