Hi I'm new to Kerberos so forgive the question...this is about the use of kadmin access controls and delegated administration.
The scenario is a helpdesk who can carry out limited administration within a kerberos Realm. For example: they can reset the kerberos passwords for regular users rather than, say, system administrators and support staff. Possibly they might be allowed to create new principals for regular users - as part of a delegated administration system. Is there a way of doing this without setting up multiple realms for each group of principals (users) that you wish to control administrative access for (from the point of view of deleting and creating principals and resetting their passwords). At the moment it seems to be an all or nothing approach. >From what I can find the Kerberos Realm is just a large flat data space - through kadmin (and it's conf file) all you can do is say a particular principal can carry out <action> on the entire realm, and that's it. However, I've also read that multiple realms is horrible - a nightmare of inter-realm trusts that should be avoided if possible. It also just doesn't feel right. Any advice gratefully received ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
