[Freeipa-devel] which accounts to use in IPA

Karl MacMillan kmacmill at redhat.com
Wed Nov 7 14:00:22 UTC 2007 

On Wed, 2007-11-07 at 03:50 +1000, David O'Brien wrote:
> When you run the freeipa-server-install, it creates/configures three
> accounts (possibly not the correct term for all); Directory Manager,
> Kerberos, and IPA admin.
> 

The kerberos "password" is really a master key. It is used to encrypt
all of the key material that kerberos uses. There is no associated
account.

The Directory Manager is the "root" account for the directory. It is
needed rarely (during multi-master setup for example), but is important.
You will never "login" with this account or get a kerberos ticket with
it. It is only used for direct ldap operations.

The IPA admin is a powerful admin that we use to bootstrap IPA. The
assumption is that this account will be used to create other accounts
but not be used everyday. It also is the "root" account for keberos.

> To run the web interface as Administrator and create users, etc., you
> get a Kerberos ticket (kinit admin) and point to the IPA server. That's
> fine...
> 

But you should really only do that right after install. The first task
should be to create a real account for the admin and give that the
privileges it needs.

> On the command line, who should I be logged in as to run ipa-*? Should I
> be doing all this as root? Seems like a bad idea.

No.

>  I can't log in as
> admin because it's not a "real" account (not an account on the box, only
> in IPA). Should I be adding /usr/sbin to the path of a regular user, or
> maybe creating a special user account for this?
> 

You can use a regular user account and you might add /usr/sbin to your
path (I just run the tools with the full path).

> I also found it curious that I could log in as a regular user and create
> a new ipa user. Works for deluser too. So, if there is a krb ticket
> still valid on a machine, anyone could play havoc with ipa?  Obviously
> I'm missing something... hmmm, 03:45. I probably should go to sleep and
> think about it tomorrow.
> 

That's likely because you have the admin kerberos ticket - the OS user
and the kerberos user can be separate, and are when you have the admin
ticket.

In normal usage the user's OS user and kerberos user will be the same
and likely won't have admin privileges with IPA.

In v2 I think we might consider having users get a regular user account
and an "admin" account - e.g., kmacmill at REALM and admin/kmacmill at REALM.
Otherwise any malicious process running as the regular user can muck
with IPA.

Karl

More information about the Freeipa-devel mailing list