On Fri, 2004-10-22 at 00:01 +0000, Rachel Elizabeth Dillon wrote: > There are a couple of things that I havs seen as common across multiple > realms; username/admin principals tend to be principals with full > administrative rights in kadmin, and username/root principals tend to > be principals with additional privileges you want the user to have to > remember to turn on specifically. I personally find that any other > instances tend to be mostly confusing, as the average user does not > want to have to deal with instances, but I am sure different people > have different opinions of "not ugly." If you do want to do this, > you probably want to look at the man page for kadmind, specifically the > ACL FILE SYNTAX section, in order to determine how to give your users > the permissions you want them to have. It looks like a line like this: > > username/[EMAIL PROTECTED] x username/[EMAIL PROTECTED]
Is there no way to just add one single general rule to cover all users, analogous to filename matching in Makefiles? That is, something like this: %/[EMAIL PROTECTED] x %/[EMAIL PROTECTED] Where, as in make, `%' would have to match the same thing in both places? It's not that it would be a problem to add every user manually, but I guess it would be better if I didn't have yet another step to take when I want to add a user. > will give users full permissions on any principals with their username, > but I recommend not just using this line for a couple of reasons: > [snip] > * If you want to manage things like password expiry, users can circumvent > you at the KDC level. Is there no way to force a certain policy onto principals? > I personally think this is a bad idea, but not knowing anything about > your situation, that judgment seems arbitrary. "What are you really > trying to do?" :) It's mainly that I want users to be able to create principals for automatic usage, like username/cron or username/gdm-autologin or the like (you know, create a principal with -randkey and storing it in a keytab for program that need to setuid without password). I'm going to be switching to NFSv4 in a while, and it would be a pity if people couldn't have cron jobs anymore just because they wouldn't have access to their own home directories... It's really just a home network, not a production site or anything, but we use Kerberos extensively for SSO and I really just want to solve all the problems I come across canonically, or I'd think bad of myself. :-) For example, my sisters like to have gdm log them in automatically (so that they don't have to type their passwords), and thus I need some extra principals to do that job. Likewise with cron. Thanks for replying! Fredrik Tolf ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
