On 08/13/2009 01:01 PM, Paul Company wrote:
That's because it doesn't exist in user.conf :)
It is in user.conf, you're reading the wrong example.
Read the first thread in the post.
There's two examples (one that works, one that does not).
[email protected] is in the second example.
You referenced the first example.
Ok.
Hence you have to edit the Apache file to reject users not in your ok list as
well.
I'm confused again.
Why would I do that?
I want all valid Kerberos users to succeed logging in.
Then you would not do that in your own personal case.
An example if your are using the (for example) @redhat.com kerberos and
you only want people in a department
to access the server. Authn_passthru will admit anyone cleared by
Apache, regardless of how Apache is configured.
For instance, if you were using authz_allowall you almost certaintly
would want to do this, and in most cases you'd also what to do this with
authz_ownership, because you didn't want the universe to create objects.
This is a site-specific security decision.
Anyway, users.conf is for mapping users to groups for ownership flagging
purposes. That is basically it.
Ownership works on an object by object basis.
I want those who aren't in users.conf to have access to Systems, but that's it.
I want those who *are* in uses.conf (specifically the admins group) to
have full access.
Can that be done?
Yes.
From authz_ownership.py:
# everybody can get read-only access to everything
# if they pass authorization, they don't have to be in users.conf
On Thu, Aug 13, 2009 at 9:31 AM, Michael DeHaan<[email protected]> wrote:
On 08/13/2009 12:23 PM, Paul Company wrote:
Guessing -- I believe your username in the bottom example is
[email protected],
if that's what you logged in with, not pcompany.
Was that it?
No, I can login as pcompany or [email protected] and neither works!
It has something to do with the httpd stanza.
If you diff the stanzas,
This works:
AuthType Basic
AuthName Cobbler
This does not:
AuthType Kerberos
AuthName "Kerberos Login"
KrbServiceName HTTP
Krb5Keytab /etc/httpd/conf.d/HTTP.keytab
KrbAuthRealms EXAMPLE.COM
I'm assuming the authz_ownership module receives the username from
somewhere and checks it against the user.conf file.
What passes the username to the authz_ownership module?
The username is the username you give to the login prompt.
And how do I debug that?
It's acting like [email protected] does not exist in user.conf.
That's because it doesn't exist in user.conf :)
# vi /etc/cobbler/users.conf
[admins]
admin = ""
cobbler = ""
pcompany = ""
:wq!
You will be able to login through anything Kerberos allows, though what you
are able to do is governed by users.conf.
Hence you have to edit the Apache file to reject users not in your ok list
as well.
--Michael
_______________________________________________
cobbler mailing list
[email protected]
https://fedorahosted.org/mailman/listinfo/cobbler
_______________________________________________
cobbler mailing list
[email protected]
https://fedorahosted.org/mailman/listinfo/cobbler
_______________________________________________
cobbler mailing list
[email protected]
https://fedorahosted.org/mailman/listinfo/cobbler
