> Rainer,
> Consider that you do not want obfuscate keeping track of users modifying
> the KDC database through generic service accounts like admin/admin. As the
> later discussion in this thread positions; using the kadm5.acl file to name
> users (they dont have to be named with a */admin convention, if you need
> specific users to have access with their normal account... but you might
> want to consider doing it anyway, so they have to actually enable their
> admin access before attempting to modify the KDC.
> The kadm5.acl file also supports defining users limits to who and what can
> be modified...
>> Hello,
>> I would like to achieve the following. A particular user say "john" logs
>> in at a linux system or authenticates in apache against kerberos.
>> Now I would like to allow this user "john" to run kadmin commands
>> without entering any additional other password.
>> I first thought that kadmin is like a service and exported the principal
>> admin/admin to a keytab file which I copied to a remote system. On this
>> system I was then able to call
>> $ kadmin -k -t /etc/krb5.keytab -p admin/admin
>> Authenticating as principal admin/admin with keytab /etc/krb5.keytab.
>> kadmin: getprincs
>> ...
>> However this does not work the way I expected. Now I can even destroy
>> the user ticket of john with kdestroy -c /tmp/krb5cc_1234 that john got
>> when logging into the system and kadmin still works.
>> What I wanted is that kadmin only works when a particular user has
>> logged in and has authenticated against kerberos. Now any user that
>> could log in into the system would be able to run kadmin if he has acces
>> to the keytab file.
>> So after all what I want is kerberos based single sign on for kadmin
>> usage.
>> Any idea how to configure this?
>> Thanks
>> Rainer
