Luke Howard <lukeh <at> padl.com> writes: > It is possible to enforce password policies, you can even write a > custom password filter module: Yes, sorry, I should have said `for some value of' `not possible'.
Hello, We've received a request to move kadmin from sbin to bin. One argument(*) for this is systems (mostly linux) that configure with prefix set to /usr. On such systems, kadmin may not correspond to what's supposed to be in /usr/sbin. One other agument is that kadmin is a commonly used tool, and having it in bin might make sense. Any opinions about this? Another related question is what to do with the other programs in sbin. I think thet are kstash, ktutil and *_log. If we decide to move kadmin, ktutil should also move, and probably also kstash, don't know what to do with *_log. (*) One solution to this is just to use --sbindir=/usr/bin. /Johan
Hi, On Wed, Jan 04, 2006 at 03:55:55PM +0100, Johan Danielsson wrote: > We've received a request to move kadmin from sbin to bin. One > argument(*) for this is systems (mostly linux) that configure with > prefix set to /usr. On such systems, kadmin may not correspond to > what's supposed to be in /usr/sbin. One other agument is that kadmin > is a commonly used tool, and having it in bin might make sense. Commonly used by whom? If commonly used by regular users, then it should go to /usr/bin. If it used only by administrators, then it should remain in /usr/sbin (and those administrators should be educated to set their PATH). > Another related question is what to do with the other programs in > sbin. I think thet are kstash, ktutil and *_log. If we decide to move > kadmin, ktutil should also move, and probably also kstash, don't know > what to do with *_log. Do normal (non-administrator) users regularly create keytabs with ktutil? If not, it should remain in /usr/sbin. kstash and *_log should definitely be in /usr/sbin and not in /usr/bin. Placing programs in /usr/bin that are not generally useful for non-administrator users is not a good idea, since it increases the size of /usr/bin (and there are still file systems that do linear search on file name lookup), and decreases the usability of tab completion. Just my 0.02.(Continue reading)
On Wed, 2006-01-04 at 16:41 +0100, Gabor Gombas wrote: > Hi, > > On Wed, Jan 04, 2006 at 03:55:55PM +0100, Johan Danielsson wrote: > > > We've received a request to move kadmin from sbin to bin. One > > argument(*) for this is systems (mostly linux) that configure with > > prefix set to /usr. On such systems, kadmin may not correspond to > > what's supposed to be in /usr/sbin. One other agument is that kadmin > > is a commonly used tool, and having it in bin might make sense. > > Commonly used by whom? If commonly used by regular users, then it should > go to /usr/bin. If it used only by administrators, then it should remain > in /usr/sbin (and those administrators should be educated to set their > PATH). ifconfig is typcially found in /sbin, yet some technical users care about it. I tend to agree with Gabor, but I would defer to a full reading of the FHS. Andrew Bartlett -- -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College http://hawkerc.net
Andrew Bartlett wrote: > ifconfig is typcially found in /sbin, yet some technical users care > about it. I tend to agree with Gabor, but I would defer to a full > reading of the FHS. Actually, the /sbin, /usr/sbin, /bin, /usr/bin directories are quite easy according to the FHS: /sbin - Programs used by the System Administrator that must be available during the boot process or in single-user mode, as /usr *may* not be mounted at this time. /bin - Same as above, except programs that are not exclusively used by the System Administrator. /usr/sbin - Programs used by the System Administrator that do not need to be available if /usr is not mounted. /usr/bin - Everything else. -- Randy
Subject: move kadmin from sbin to bin Date: Wed, Jan 04, 2006 at 03:55:55PM +0100 Quoting Johan Danielsson (joda <at> pdc.kth.se): > > Any opinions about this? Don't. Kadmin is typically used in two settings; by the administrator, in a separate pag, to modify and/or create principals, and second, by root, to extract keytabs on newly installed machines. None of these activities are end-user stuff. -- -- Måns Nilsson Systems Specialist +46 70 681 7204 KTHNOC MN1334-RIPE You mean now I can SHOOT YOU in the back and further BLUR th' distinction between FANTASY and REALITY?
Johan Danielsson <joda <at> pdc.kth.se> writes: > Hello, > > We've received a request to move kadmin from sbin to bin. One > argument(*) for this is systems (mostly linux) that configure with > prefix set to /usr. On such systems, kadmin may not correspond to > what's supposed to be in /usr/sbin. I don't understand that. In addition to what others said, it is actually in sbin from the system packages on the two GNU/Linux strains I know -- Debian & RedHat. On RedHat it's the MIT version and actually in /usr/kerberos/sbin, though.
Yahoo! Photos
Hi,
I had the same problem. Check that in your kdc.conf database section ALL
ex-default parameters are inserted.
It seems to be a strange behaviour, that if this section is used the
defaults are gone to nowhere..
So set
database = {
acl_file = /var/heimdal/kadmin.acl
m_key = bla
dbname = ldap:bla ...
}
and check if it is working than.
Regards
marco
jay alvarez
<kerber0sb0y <at> yaho
o.com> To
Sent by: heimdal-discuss <at> sics.se
owner-heimdal-dis cc
cuss <at> sics.se
Subject
kadmind.acl failed after
01/06/2006 05:28 transferring principals to openldap
AM
Good day,
After dumping the database from an existing bdb kerberos server,
immediately load that database into a newly configured
heimdal/openldap.Everything works fine
but the following:
kadmind.acl doesn't work anymore. I transferred this file into the new
server's /var/heimdal but on the client I get an
kadmin: get *: Operation requires `get' privilege
Is it not possible for heimdal to work with a remote ldapserver?? Why is
it that when the heimdal and openldap is on the same machine... slapd still
has to be started with ldap:/// and not just ldapi:/// ?
That's all for now.. thanks.
Yahoo! Photos
Ring in the New Year with Photo Calendars. Add photos, events, holidays,
whatever.
Any followup on this? We'll be doing the same soon. Another question: are you running Transarc, or OpenAFS AFS servers, and which versions? On Dec 5, 2005, at 11:52 AM, Love Hörnquist Åstrand wrote: > > Andrei Maslennikov <andrei.maslennikov <at> gmail.com> writes: > >> We have migrated to from 0.6 to 0.7.1 and seemingly all went quite >> well. >> However we have soon discovered a problem with AFS tokens that >> only manifests itself with a subset of users. > > I've tried this with 5 character users name, and it worked fine for > me. > > How long is your realm/cell-name ? > > Love >
RSS Feed12 | |
|---|---|
59 | |
25 | |
53 | |
5 | |
35 | |
16 | |
19 | |
49 | |
14 | |
37 | |
27 | |
72 | |
23 | |
101 | |
57 | |
48 | |
63 | |
13 | |
250 | |
107 | |
35 | |
64 | |
44 | |
34 | |
22 | |
63 | |
62 | |
44 | |
62 | |
52 | |
44 | |
70 | |
29 | |
43 | |
146 | |
45 | |
37 | |
101 | |
74 | |
125 | |
56 | |
58 | |
77 | |
27 | |
64 | |
66 | |
46 | |
45 | |
47 | |
12 | |
30 | |
54 | |
38 | |
36 | |
111 | |
53 | |
23 | |
167 | |
106 | |
124 | |
94 | |
78 | |
38 | |
82 | |
131 | |
44 | |
53 | |
51 | |
134 | |
82 | |
104 | |
72 | |
50 | |
44 | |
75 | |
80 | |
92 | |
117 | |
152 | |
59 | |
19 | |
30 | |
34 | |
111 | |
42 | |
49 | |
57 | |
35 | |
50 | |
57 | |
128 | |
104 | |
58 | |
101 | |
82 | |
226 | |
101 | |
68 | |
77 | |
65 | |
38 | |
56 | |
28 | |
55 | |
96 | |
24 | |
92 | |
102 | |
115 | |
12 |
