Hi Petter, On Mi 11 Jan 2012 23:36:25 CET Petter Reinholdtsen wrote:
root localadmin admin super-admin I suspect these many administrative users will confuser the local administrator.
I agree with the confusion factor here.
I propose we drop the localadmin user, and instead set up a LDAP user for the same purpose.
When I set up LDAP based networks, I always have a local user that is not in LDAP and not root. Since Ubuntu, using sudo is common practice and I rather would like to propose that the root account is not used at all, but to provide (continue providing) a fully functional local sudo-able account (like localadmin, the name may be different, of course).
I propose we drop the current admin user, and rename the super-admin GOsa user to admin. We should also try to makethis user authenticate using Kerberos.
GOsa² won't authenticate against Kerberos credentials. GOsa² uses x_simple_bind.
This way we end up with a user with 8 characters or less in the name (avoids problems with top, w and other command line tools), we get a user that can have its password changed in GOsa, and provide a non-root user that can be used for the initial login to create more LDAP users. We also reduce the password change required to one on each machine and one in LDAP. And the admins used with our Lenny version will still be able to use the 'admin' user for the LDAP administration. In addition, the initial user will have a Kerberos ticket we can use in the future to log into Gosa, Nagios, CUPS, etc and get single sign on for these web services. :)
My suggestion would be instead:
1. rename localadmin -> admin, keep it locally, on every machine in
/etc/passwd, force it to uidNumber 1000, gidNumber 1000
2. drop the super-admin DN for GOsa and use
cn=admin,ou=ldap-access,dc=skole,dc=skolelinux,dc=no
3. add posixAccount and Kerberos information to
cn=admin,ou=ldap-access,dc=skole,dc=skolelinux,dc=no
with duplicate uidNumber 1000, gidNumber 1000
but keep the cn=admin item hidden from GOsa²
4. Provide a script in debian-edu-config to change the password
-> for admin in /etc/passwd
-> + on main-server: for Kerberos principal admin
-> + on main-server: for userPassword of the LDAP object
-> + (maybe?): local root account(?)
The trick is the duplicate entry of ,,admin'' in /etc/passwd and LDAP.
With this hack you can have a global ,,admin'' password on site and a
local ,,admin'' password per workstation. You can still use the local
,,admin''s password to login to a workstation, but if you decide to
change the site password for ,,admin'' then that one should work as
well.
Did I misunderstand the purpose of some of these users? Anyone see a problem with this new proposal?
I guess the history is to implement new features without touching already existing setups (so probably it was just being careful with the already performed work of other developers). My guess.
I am aware that this will require changes to the documentation, but believe the resulting documentation will be easier to write and easier to understand, as the local administrator only need to cope with two administrative users. There will be one local (root), and one in LDAP (admin).
Yes. Would be sexy... ;-) Mike -- DAS-NETZWERKTEAM mike gabriel, dorfstr. 27, 24245 barmissen fon: +49 (4302) 281418, fax: +49 (4302) 281419 GnuPG Key ID 0xB588399B mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
Attachment:
pgpR60fNVSckh.pgp
Description: Digitale PGP-Unterschrift