On 12/30/2009 5:05 AM, Holger Rauch wrote: > Hi, > > I came accross these two links > > http://www.mail-archive.com/[email protected]/msg11446.html > http://www.faqs.org/faqs/kerberos-faq/general/section-61.html > > According to that mail, I would need to setup both an additional > Kerberos principal and PTS entry for each "regular" user that wants to > run a cron job.
The benefit of providing interactive users with separate batch principals u...@realm and user/ba...@realm or user/batch/h...@realm along with associated PTS IDs is that it becomes possible to reduce risk and improve usage policy auditing. The batch jobs do not need to be able to access everything the user is capable of. For example, a batch job should not be able to perform an interactive logon and a batch job probably doesn't have any reason to be accessing the user's home directories, e-mails, etc. By setting up batch principals it is possible for the user to initiate long term tasks that are restricted to certain data sets or perhaps to certain machines. Jeffrey Altman
smime.p7s
Description: S/MIME Cryptographic Signature
