tech-userlevel archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: Going LDAP #2
Erik Berls wrote:
> On Wed, Jun 18, 2008 at 11:54 AM, Anders Magnusson
> <ragge%ludd.ltu.se@localhost> wrote:
>> Thor Lancelot Simon wrote:
>>> On Mon, May 26, 2008 at 08:01:54PM +0200, Anders Magnusson wrote:
>>>
>>>> xxinit -c (client)
>>>> - Asks about the master machine and root password for it.
>>>> This will get the configuration for the domain out
>>>> of ldap and fetch a machine key.
>>>>
>>> What is the "it" here? If "it" means the master machine, so the LDAP
>>> server and KDC's root password would have to be entered into each client
>>> when that client is initialized, I really, *really* don't like this.
>>>
>> This should be read "principal that can extract a host keytab" for the
>> client.
>> Which may or may not be root, depending of how the system is configured.
>
> Can we make it really, really difficult to be root? This seems like a
> pretty easy default to set as non-root (and document as such). Am I
> missing something?
>
No, but I think that whether or not to use the root account to fetch
machine keys etc. should be left as a decision by the administrator.
> Ideally, I'd like it to be an account that only has the permission to
> do what is necessary for the final step of setting up clients: the
> situation would be a helpdesk setting up client machines for a
> specific user. It doesn't seem too onerous to make this default?
>
That is the correct way if you have a larger organization, but for the
normal situation with at most 10 clients it may be overkill. But, as
always, it should be up to the system admin :-)
-- Ragge
> -=erik.
>
>> -- Ragge
>>
>
>
>
Home |
Main Index |
Thread Index |
Old Index