[Freeipa-devel] which accounts to use in IPA
John Dennis
jdennis at redhat.com
Wed Nov 7 13:38:32 UTC 2007
David O'Brien wrote:
> When you run the freeipa-server-install, it creates/configures three
> accounts (possibly not the correct term for all); Directory Manager,
> Kerberos, and IPA admin.
>
> To run the web interface as Administrator and create users, etc., you
> get a Kerberos ticket (kinit admin) and point to the IPA server. That's
> fine...
>
> On the command line, who should I be logged in as to run ipa-*? Should I
> be doing all this as root? Seems like a bad idea. I can't log in as
> admin because it's not a "real" account (not an account on the box, only
> in IPA). Should I be adding /usr/sbin to the path of a regular user, or
> maybe creating a special user account for this?
The command line tools also require you to acquire an admin ticket via
kinit just as you did above. There are no "login accounts" involved.
> I also found it curious that I could log in as a regular user and create
> a new ipa user. Works for deluser too. So, if there is a krb ticket
> still valid on a machine, anyone could play havoc with ipa? Obviously
> I'm missing something... hmmm, 03:45. I probably should go to sleep and
> think about it tomorrow.
If everything was working as it should you were able to add a user etc.
as a "regular user" I presume because you had earlier acquired an admin
ticket via kinit. This is beauty of single sign-on. You signed on once,
you're good to go for the life of the ticket.
If you don't the possibility of anyone walking up to your console and
doing an unauthorized action then destroy your admin ticket via
kdestroy. Poof, it's gone, you can't do anything again until the next
successful kinit.
--
John Dennis <jdennis at redhat.com>
More information about the Freeipa-devel
mailing list