Re: Too many admin users in Debian Edu/Squeeze?

To: debian-edu@lists.debian.org
Subject: Re: Too many admin users in Debian Edu/Squeeze?
From: Petter Reinholdtsen <pere@hungry.com>
Date: Mon, 16 Jan 2012 14:41:06 +0100
Message-id: <[🔎] 2flpqejvk7h.fsf@diskless.uio.no>
In-reply-to: <[🔎] 20120112125029.44751k94zsfi6wp1@mail.das-netzwerkteam.de>
References: <[🔎] 2flty41euja.fsf@diskless.uio.no> <[🔎] 20120112125029.44751k94zsfi6wp1@mail.das-netzwerkteam.de>

[Mike Gabriel]
> Hi Petter,

Hi, Mike.

> I agree with the confusion factor here.

Great.  Then lets try to reduce it. :)

> When I set up LDAP based networks, I always have a local user that is
> not in LDAP and not root. Since Ubuntu, using sudo is common practice
> and I rather would like to propose that the root account is not used
> at all, but to provide (continue providing) a fully functional local
> sudo-able account (like localadmin, the name may be different, of
> course).

When it is impossible to log into the root account, having another local
account in /etc/passwd definitely make sense.  But each local user on
each system come with the burden of keeping the password for that user
up-to-date.  Where I work, we do not provide such local users as the
poin of changing the passwords outweight the advantages.  If we need to
log in and the root user is broken, we fetch a rescue USB stick.  I can
not remember when that happened the last time.

> GOsa² won't authenticate against Kerberos credentials. GOsa² uses
> x_simple_bind.

Right.  Too bad, but then we will just have to handle that. :/

> My suggestion would be instead:
> 
>    1. rename localadmin -> admin, keep it locally, on every machine in
>       /etc/passwd, force it to uidNumber 1000, gidNumber 1000
>    2. drop the super-admin DN for GOsa and use
>       cn=admin,ou=ldap-access,dc=skole,dc=skolelinux,dc=no
>    3. add posixAccount and Kerberos information to
>       cn=admin,ou=ldap-access,dc=skole,dc=skolelinux,dc=no
>       with duplicate uidNumber 1000, gidNumber 1000
>       but keep the cn=admin item hidden from GOsa²

Having two different users with different passwords string but the same
name is going to lead to most admins only changing the password in
LDAP/Kerberos, and leaving the local admin user behind.  That is too
high a security risk to put on the school admins.

I believe it is better to drop the localadmin account completely, ask
the admin during installation of the main-server for his name, username
and password, create a LDAP/Kerberos user using this information.  This
way the local admin will get his normal account right away, and at least
one non-personal account go away.  I am quite close to having this
working.

We will still have the root, admin and super-admin accounts with the
initial root password, but at least one step closer.

We could consider merging the first user and the super-admin user to
reduse the set to 'root' in /etc/passwd and 'admin' in LDAP.

This way the first time user/admin will know which username and password
to use when logging into GOsa to create the rest of the users.
-- 
Happy hacking
Petter Reinholdtsen

Reply to:

Follow-Ups:
- Re: Too many admin users in Debian Edu/Squeeze?
  - From: Petter Reinholdtsen <pere@hungry.com>

References:
- Too many admin users in Debian Edu/Squeeze?
  - From: Petter Reinholdtsen <pere@hungry.com>
- Re: Too many admin users in Debian Edu/Squeeze?
  - From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>

Prev by Date: Automatically install required firmware packages (please test)
Next by Date: Re: r75425 - in trunk/src/slbackup-php/debian: . patches
Previous by thread: Re: Too many admin users in Debian Edu/Squeeze?
Next by thread: Re: Too many admin users in Debian Edu/Squeeze?
Index(es):
- Date
- Thread