[Freeipa-devel] which accounts to use in IPA
David O'Brien
david.obrien at redhat.com
Tue Nov 6 17:50:29 UTC 2007
When you run the freeipa-server-install, it creates/configures three
accounts (possibly not the correct term for all); Directory Manager,
Kerberos, and IPA admin.
To run the web interface as Administrator and create users, etc., you
get a Kerberos ticket (kinit admin) and point to the IPA server. That's
fine...
On the command line, who should I be logged in as to run ipa-*? Should I
be doing all this as root? Seems like a bad idea. I can't log in as
admin because it's not a "real" account (not an account on the box, only
in IPA). Should I be adding /usr/sbin to the path of a regular user, or
maybe creating a special user account for this?
I also found it curious that I could log in as a regular user and create
a new ipa user. Works for deluser too. So, if there is a krb ticket
still valid on a machine, anyone could play havoc with ipa? Obviously
I'm missing something... hmmm, 03:45. I probably should go to sleep and
think about it tomorrow.
--
/david
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20071107/10b343cd/attachment.sig>
More information about the Freeipa-devel
mailing list