[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Too many admin users in Debian Edu/Squeeze?

If I got it right, we set up the following administration users in
Debian Edu/Squeeze with the password specified for root during the
installation:

  root
  localadmin
  admin
  super-admin

Did I miss any?  I am aware of the samba admin user (smbadmin), but
believe it have a generated random password.

 * The root user is the normal uid=0 user in /etc/passwd.

 * The localadmin is a uid!=0 user in /etc/password with full sudo
   access, which I believe was created to avoid having to grant root
   login access in kdm and provide an initial user to use when creating
   LDAP users.

 * The admin user is in LDAP with privileges to update LDAP objects.
   This was the original LDAP admin user with lwat.  It is invisible in
   GOsa, but still used by some command line scripts.  This user can not
   be used with Kerberos.

 * The super-admin user is in LDAP and can be used to log into GOsa to
   administrate LDAP and GOsa.  This user can not be used with Kerberos.

I suspect these many administrative users will confuser the local
administrator.  It will also cause problems when the local administrator
want to change passwords, as the password have to be changed two times
on each machine and two times in LDAP, and only the super-admin password
can be changed from within GOsa.  I believe we would be better of by
reducing the number of administrative users.

I propose we drop the localadmin user, and instead set up a LDAP user
for the same purpose.  I propose we drop the current admin user, and
rename the super-admin GOsa user to admin.  We should also try to make
this user authenticate using Kerberos.  This way we end up with a user
with 8 characters or less in the name (avoids problems with top, w and
other command line tools), we get a user that can have its password
changed in GOsa, and provide a non-root user that can be used for the
initial login to create more LDAP users.  We also reduce the password
change required to one on each machine and one in LDAP.  And the admins
used with our Lenny version will still be able to use the 'admin' user
for the LDAP administration.  In addition, the initial user will have a
Kerberos ticket we can use in the future to log into Gosa, Nagios, CUPS,
etc and get single sign on for these web services. :)

Did I misunderstand the purpose of some of these users?  Anyone see a
problem with this new proposal?

I am aware that this will require changes to the documentation, but
believe the resulting documentation will be easier to write and easier
to understand, as the local administrator only need to cope with two
administrative users.  There will be one local (root), and one in LDAP
(admin).
-- 
Happy hacking
Petter Reinholdtsen
Reply to: