On 24 Apr 2012, at 14:06, Jeff Blaine <
jblaine@kick...> wrote:
> How are people provisioning host principal keytabs in
> large quantities? I've never really seen anyone discuss
> this. It's not 1988 anymore ;)
I built a system to do this for my former employer, and presented on it at the 2005 Best Practices Workshop. Slides are at
http://www.dice.inf.ed.ac.uk/publications/AFSWorkshop-2005/AFSWorkshop.pdf
Essentially, we allowed any system administrator to register a principal of the form hostclient/<machine> and then allowed that principal to register any service principal of the form <service>/<machine>. These rules are enforced by using kadmind's ACLs.
We were still using this when I left at the beginning of the year. At that point we were considering using wallet, rather than kadmin to handle to access control, and to restrict the set of service principals that can be created for a machine to the list of services in the configuration database. We had also considered various ways of further automating the creation of the initial hostclient principal, but none of these appeared cost effective for us, given provisioning of new machines generally involved console access anyway.
Hope that helps!
Simon.
________________________________________________
Kerberos mailing list
Kerberos@mit....
https://mailman.mit.edu/mailman/listinfo/kerberos
opensubscriber is not affiliated with the authors of this message nor responsible for its content.
Delicious
Digg
reddit
Facebook
StumbleUpon
