Brian Candler <b.cand...@pobox.com> writes: > (1) create separate principals for each user who should have root access, > e.g. > candl...@foo.example.com > candlerb/ad...@foo.example.com
> Then map */admin to the root account using auth_to_local, and people > can use ksu to switch. We do this, except we use .k5login with a specific list of principals that should have access to root. I wouldn't use auth_to_local for... > (I'm not sure I like the idea of burying "/admin" inside a principal's name; > that seems to be mixing authentication and authorization. And that would > apply a single authorization policy across all systems) ...exactly that reason. -- Russ Allbery (r...@stanford.edu) <http://www.eyrie.org/~eagle/> ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos