On Mon, Jun 09, 2008 at 10:38:53AM +0100, Darren J Moffat wrote: > Joep Vesseur wrote: >>> a) Did PSARC/2007/700 integrate somewhere? >> >> No, not yet; I've been stuck in the changes needed for the graphical >> installer. Need to pick up the pieces again. >> >>> b) If so, why didn't the manpage change integrate? >>> c) Is having passwordless roles any less stupid than passwordless users? >> >> I'd say it is because with passwordless roles you have at least the >> attribution to which user assumed a role. With passwordless users >> you'd have no way knowing who logged into your system. > > The reason Solaris expects roles, just like users, to has passwords is > because of the need for a password to use AUTH_DH creds for NIS+ and NFS > shared with sec=dh. > > If you don't need to use AUTH_DH then you may not need roles to have > passwords. On the other hand you may wish roles to be Kerberos principals > in which case you would likely need a password for them (or some way of > maintaining and using a keytab for them). > > If you need none of the security provided by AUTH_DH or Kerberos then you > may not need to use passwords with roles.
It's good to hear that this is reasonable usage; I mentioned it to some (non Solaris using) colleagues and they were rather disconcerted but I assumed they just didn't really understand what roles were :) In my current situation I don't need any of the stuff above, but SXCE doesn't allow passwordless roles. I'm not sure why if the quoted ARC case didn't integrate; it just seems that the OpenSolaris code base never has supported this (although, as noted, it does work in Solaris 10). Ceri -- That must be wonderful! I don't understand it at all. -- Moliere -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: not available URL: <http://mail.opensolaris.org/pipermail/security-discuss/attachments/20080609/f9ce47a1/attachment.bin>