Re: Too many admin users in Debian Edu/Squeeze?
[Mike Gabriel]
> Hi Petter,
Hi, Mike.
> I agree with the confusion factor here.
Great. Then lets try to reduce it. :)
> When I set up LDAP based networks, I always have a local user that is
> not in LDAP and not root. Since Ubuntu, using sudo is common practice
> and I rather would like to propose that the root account is not used
> at all, but to provide (continue providing) a fully functional local
> sudo-able account (like localadmin, the name may be different, of
> course).
When it is impossible to log into the root account, having another local
account in /etc/passwd definitely make sense. But each local user on
each system come with the burden of keeping the password for that user
up-to-date. Where I work, we do not provide such local users as the
poin of changing the passwords outweight the advantages. If we need to
log in and the root user is broken, we fetch a rescue USB stick. I can
not remember when that happened the last time.
> GOsa² won't authenticate against Kerberos credentials. GOsa² uses
> x_simple_bind.
Right. Too bad, but then we will just have to handle that. :/
> My suggestion would be instead:
>
> 1. rename localadmin -> admin, keep it locally, on every machine in
> /etc/passwd, force it to uidNumber 1000, gidNumber 1000
> 2. drop the super-admin DN for GOsa and use
> cn=admin,ou=ldap-access,dc=skole,dc=skolelinux,dc=no
> 3. add posixAccount and Kerberos information to
> cn=admin,ou=ldap-access,dc=skole,dc=skolelinux,dc=no
> with duplicate uidNumber 1000, gidNumber 1000
> but keep the cn=admin item hidden from GOsa²
Having two different users with different passwords string but the same
name is going to lead to most admins only changing the password in
LDAP/Kerberos, and leaving the local admin user behind. That is too
high a security risk to put on the school admins.
I believe it is better to drop the localadmin account completely, ask
the admin during installation of the main-server for his name, username
and password, create a LDAP/Kerberos user using this information. This
way the local admin will get his normal account right away, and at least
one non-personal account go away. I am quite close to having this
working.
We will still have the root, admin and super-admin accounts with the
initial root password, but at least one step closer.
We could consider merging the first user and the super-admin user to
reduse the set to 'root' in /etc/passwd and 'admin' in LDAP.
This way the first time user/admin will know which username and password
to use when logging into GOsa to create the rest of the users.
--
Happy hacking
Petter Reinholdtsen
Reply to: