Hello everybody,
I'd like to delegate permissions regarding principals maintenaince (add/change/delete) in KDC database, so that we would had: - a person managing just principals for hosts and services (hostadm@REALM) - a different person managing just principals for users (useradm@REALM) Since kadmin ACL file lets you specify wildcards for targets, it's cool for hosts and services case, for instance: hostadm@REALM * host/*@REALM However, at least according of what I've observed from samples, documentation and applications usage, there's not a fixed primary for user's principals. They are just like username@REALM. Back to ACL file, the only target (even with wildcards) that would work for username@REALM philosophy would be *@REALM, right ?? But this target would not restrict useradm@REALM actions over host/* principals. A first solution would be insert negative permissions (ADMCIL) for useradm regarding host/* targets, but if you have telnet/*, ftp/*, pop/* and .../* principals besides two or more useradms it becames complicated. I've thought of adopting some naming style like user/username@REALM, for instance user/joe@REALM, user/ted@REALM. I've done successfully tests with kinit and accesses by means of FTP, telnet and patched ssh (.k5login file mappings). However I'm cautions concerning that: login.krb5 seems to work just with username@REALM principals (it hopes username is the same UNIX userid). I suppose there could be a lot of other applications that would have problems with user/username style (pop, imap, ...). So I'm asking if someone has or had some experience with a similar naming style or has knowledge about applications that assume username@REALM style. ------------------------------------------------------------------------------ Marcio d'Avila Scheibler - Divisao de Suporte ([EMAIL PROTECTED]) Centro de Processamento de Dados - Campus Universitario - CEP 97105-900 Universidade Federal de Santa Maria - RS - Brasil =============================================================================
