Read the man page for kadm5.acl. This file controls access and delegation for the kerberos database. I'm pretty sure it can do most if not all of what you want.
-Michael --- [EMAIL PROTECTED] wrote: > Hi > > I'm new to Kerberos so forgive the question...this is about the use of > kadmin access controls and delegated administration. > > The scenario is a helpdesk who can carry out limited administration > within a kerberos Realm. For example: they can reset the kerberos > passwords for regular users rather than, say, system administrators and > support staff. Possibly they might be allowed to create new principals > for regular users - as part of a delegated administration system. > > Is there a way of doing this without setting up multiple realms for > each group of principals (users) that you wish to control > administrative access for (from the point of view of deleting and > creating principals and resetting their passwords). At the moment it > seems to be an all or nothing approach. > > >From what I can find the Kerberos Realm is just a large flat data space > - through kadmin (and it's conf file) all you can do is say a > particular principal can carry out <action> on the entire realm, and > that's it. However, I've also read that multiple realms is horrible - a > nightmare of inter-realm trusts that should be avoided if possible. It > also just doesn't feel right. > > Any advice gratefully received > > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos > ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
