Hello everybody,

I'd like to delegate permissions regarding principals
maintenaince (add/change/delete) in KDC database, so that
we would had:

- a person managing just principals for hosts and services (hostadm@REALM)
- a different person managing just principals for users (useradm@REALM)

Since kadmin ACL file lets you specify wildcards for targets,
it's cool for hosts and services case, for instance:

hostadm@REALM   *       host/*@REALM

However, at least according of what I've observed from samples, 
documentation and applications usage, there's not a fixed
primary for user's principals. They are just like 
username@REALM. Back to ACL file, the only target (even
with wildcards) that would work for username@REALM philosophy 
would be *@REALM, right ?? But this target would not
restrict useradm@REALM actions over host/* principals.

A first solution would be insert negative permissions (ADMCIL)
for useradm regarding host/* targets, but if you
have telnet/*, ftp/*, pop/* and .../* principals besides
two or more useradms it becames complicated.

I've thought of adopting some naming style like 
user/username@REALM, for instance user/joe@REALM, 
user/ted@REALM.

I've done successfully tests with kinit and accesses
by means of FTP, telnet and patched ssh (.k5login file mappings).
However I'm cautions concerning that: login.krb5 seems to work 
just with username@REALM principals (it hopes username is the 
same UNIX userid). I suppose there could be a lot of other 
applications that would have problems with user/username
style (pop, imap, ...).

So I'm asking if someone has or had some experience with
a similar naming style or has knowledge about applications
that assume username@REALM style.


------------------------------------------------------------------------------
Marcio d'Avila Scheibler - Divisao de Suporte ([EMAIL PROTECTED])
Centro de Processamento de Dados - Campus Universitario - CEP 97105-900
Universidade Federal de Santa Maria - RS - Brasil
=============================================================================

Reply via email to