tech-userlevel archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: Going LDAP #2
On Wed, Jun 18, 2008 at 11:54 AM, Anders Magnusson
<ragge%ludd.ltu.se@localhost> wrote:
> Thor Lancelot Simon wrote:
>> On Mon, May 26, 2008 at 08:01:54PM +0200, Anders Magnusson wrote:
>>
>>> xxinit -c (client)
>>> - Asks about the master machine and root password for it.
>>> This will get the configuration for the domain out
>>> of ldap and fetch a machine key.
>>>
>>
>> What is the "it" here? If "it" means the master machine, so the LDAP
>> server and KDC's root password would have to be entered into each client
>> when that client is initialized, I really, *really* don't like this.
>>
> This should be read "principal that can extract a host keytab" for the
> client.
> Which may or may not be root, depending of how the system is configured.
Can we make it really, really difficult to be root? This seems like a
pretty easy default to set as non-root (and document as such). Am I
missing something?
Ideally, I'd like it to be an account that only has the permission to
do what is necessary for the final step of setting up clients: the
situation would be a helpdesk setting up client machines for a
specific user. It doesn't seem too onerous to make this default?
-=erik.
>
> -- Ragge
>
--
"Too bad $VOLUNTEERS don't get their act together and provide
$SOLUTION_TO_VERY_DIFFICULT_PROBLEM in a decent fashion" -- from IRC,
#netbsd, EFNet
Home |
Main Index |
Thread Index |
Old Index