tech-userlevel archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Going LDAP #2

Erik Berls wrote:
> On Wed, Jun 18, 2008 at 11:54 AM, Anders Magnusson 
> <> wrote:
>> Thor Lancelot Simon wrote:
>>> On Mon, May 26, 2008 at 08:01:54PM +0200, Anders Magnusson wrote:
>>>>         xxinit -c (client)
>>>>                 - Asks about the master machine and root password for it.
>>>>                   This will get the configuration for the domain out
>>>>                   of ldap and fetch a machine key.
>>> What is the "it" here?  If "it" means the master machine, so the LDAP
>>> server and KDC's root password would have to be entered into each client
>>> when that client is initialized, I really, *really* don't like this.
>> This should be read "principal that can extract a host keytab" for the
>> client.
>> Which may or may not be root, depending of how the system is configured.
> Can we make it really, really difficult to be root?  This seems like a
> pretty easy default to set as non-root (and document as such).  Am I
> missing something?
No, but I think that whether or not to use the root account to fetch
machine keys etc. should be left as a decision by the administrator.

> Ideally, I'd like it to be an account that only has the permission to
> do what is necessary for the final step of setting up clients:  the
> situation would be a helpdesk setting up client machines for a
> specific user.  It doesn't seem too onerous to make this default?
That is the correct way if you have a larger organization, but for the
normal situation with at most 10 clients it may be overkill.  But, as
always, it should be up to the system admin :-)

-- Ragge

> -=erik.
>> -- Ragge

Home | Main Index | Thread Index | Old Index