tech-userlevel archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: Going LDAP #2
On Sat, Jun 28, 2008 at 09:53:13PM +0200, Anders Magnusson wrote:
> Erik Berls wrote:
> > On Wed, Jun 18, 2008 at 11:54 AM, Anders Magnusson
> > <ragge%ludd.ltu.se@localhost> wrote:
> >> Thor Lancelot Simon wrote:
> >>> On Mon, May 26, 2008 at 08:01:54PM +0200, Anders Magnusson wrote:
> >>>
> >>>> xxinit -c (client)
> >>>> - Asks about the master machine and root password for it.
> >>>> This will get the configuration for the domain out
> >>>> of ldap and fetch a machine key.
> >>>>
> >>> What is the "it" here? If "it" means the master machine, so the LDAP
> >>> server and KDC's root password would have to be entered into each client
> >>> when that client is initialized, I really, *really* don't like this.
> >>>
> >> This should be read "principal that can extract a host keytab" for the
> >> client.
> >> Which may or may not be root, depending of how the system is configured.
> >
> > Can we make it really, really difficult to be root? This seems like a
> > pretty easy default to set as non-root (and document as such). Am I
> > missing something?
> >
> No, but I think that whether or not to use the root account to fetch
> machine keys etc. should be left as a decision by the administrator.
I think that this is all quite architecturally wrong. It should not be
done by pull -- much less by pull *as root* from the KDC -- it should be
done by push.
Thor
Home |
Main Index |
Thread Index |
Old Index