On Thu, Jan 11, 2007 at 06:23:45PM -0500, Michael Olson wrote: > This is a partial reply w.r.t. blockers. More to follow later today. > > "Adam Chlipala" <[EMAIL PROTECTED]> writes: > > > I just want to make sure that we don't have any deadlocks among admins > > now. I'd like to ask that each person working on admin-y things on the > > new servers summarize his remaining tasks and any dependencies they have > > on other tasks, whether these tasks are assigned to the same person or > > someone else. If someone else is depending on one of your tasks, you > > might want to consider giving it a higher priority. > > I'm waiting on the outcome of Justin's suggestion to use /etc/keytab > (and the follow-up that I just sent to that) before creating the keys > for various daemons. This won't block normal daemon > installation/configuration.
Let's go this route. Create /etc/keytabs/ and put all keytabs we'll use there. Each user or service in its own file. So for each user we will do, within kadmin: ktadd -k /etc/keytabs/NAME.keytab NAME The file will already have mode 600, we will just have to chown it appropriately. Christopher's advice to only export the DES key (by default there are two key types) is good; look up a few emails back on instructions how to do it. We'll have to do this only for a few daemons and system accounts now, in the beginning. We will also need to do this for a lot of users on the system, actually for anyone that we will want to su/sudo to (to say, resolve support tickets). But for those accounts I suggest the existing /etc/krb5.keytab because it's the default location, so we won't have to specify the keytab file every time, and only the root user will use it so permissions won't be a problem. > > -- > Michael Olson -- FSF Associate Member #652 -- http://www.mwolson.org/ > Interests: Lisp, text markup, protocols -- Jabber: mwolson_at_hcoop.net > /` |\ | | | Projects: Emacs, Muse, ERC, EMMS, Planner, ErBot, DVC > |_] | \| |_| Reclaim your digital rights by eliminating DRM. > See http://www.defectivebydesign.org/what_is_drm for details. > _______________________________________________ > HCoop-SysAdmin mailing list > [email protected] > http://hcoop.net/cgi-bin/mailman/listinfo/hcoop-sysadmin _______________________________________________ HCoop-SysAdmin mailing list [email protected] http://hcoop.net/cgi-bin/mailman/listinfo/hcoop-sysadmin
