Too many admin users in Debian Edu/Squeeze?
If I got it right, we set up the following administration users in
Debian Edu/Squeeze with the password specified for root during the
installation:
root
localadmin
admin
super-admin
Did I miss any? I am aware of the samba admin user (smbadmin), but
believe it have a generated random password.
* The root user is the normal uid=0 user in /etc/passwd.
* The localadmin is a uid!=0 user in /etc/password with full sudo
access, which I believe was created to avoid having to grant root
login access in kdm and provide an initial user to use when creating
LDAP users.
* The admin user is in LDAP with privileges to update LDAP objects.
This was the original LDAP admin user with lwat. It is invisible in
GOsa, but still used by some command line scripts. This user can not
be used with Kerberos.
* The super-admin user is in LDAP and can be used to log into GOsa to
administrate LDAP and GOsa. This user can not be used with Kerberos.
I suspect these many administrative users will confuser the local
administrator. It will also cause problems when the local administrator
want to change passwords, as the password have to be changed two times
on each machine and two times in LDAP, and only the super-admin password
can be changed from within GOsa. I believe we would be better of by
reducing the number of administrative users.
I propose we drop the localadmin user, and instead set up a LDAP user
for the same purpose. I propose we drop the current admin user, and
rename the super-admin GOsa user to admin. We should also try to make
this user authenticate using Kerberos. This way we end up with a user
with 8 characters or less in the name (avoids problems with top, w and
other command line tools), we get a user that can have its password
changed in GOsa, and provide a non-root user that can be used for the
initial login to create more LDAP users. We also reduce the password
change required to one on each machine and one in LDAP. And the admins
used with our Lenny version will still be able to use the 'admin' user
for the LDAP administration. In addition, the initial user will have a
Kerberos ticket we can use in the future to log into Gosa, Nagios, CUPS,
etc and get single sign on for these web services. :)
Did I misunderstand the purpose of some of these users? Anyone see a
problem with this new proposal?
I am aware that this will require changes to the documentation, but
believe the resulting documentation will be easier to write and easier
to understand, as the local administrator only need to cope with two
administrative users. There will be one local (root), and one in LDAP
(admin).
--
Happy hacking
Petter Reinholdtsen
Reply to: