Organization: Internet-USENET Gateway at Stanford University
Date: Wed, 9 Sep 1992 01:40:05 GMT
Lines: 26
In article <9209082303.AA10434@ocfmail.ocf.llnl.gov>, nessett@ocfmail.ocf.llnl.gov (Danny Nessett) writes:
If an organization wants to keep its authentication data in exactly
one place, existing authentication mechanisms are insufficient. As
Chuck Athey has pointed out, you need at least an entry for root
in /etc/passwd for the system to be administered and integrated into a
Kerberos realm. This means two sources of authentication data must be
maintained, one in the system's /etc/passwd file (or some surrogate
such as a yp database) and one in the Kerberos database.
I think you may be confusing authentication and authorization: even if a system
were completely Kerberized for authentication purposes, you would still need
some way to specify which principals were *authorized* to perform various
tasks, access local files, etc. Probably you would want this control to reside
locally, or at least be configurable on a machine-by-machine basis -- I might
be trusted to administer a software development system, but not to browse the company's payroll files. That's where the /etc/passwd file (or its surrogate)
comes in, in specifying which users (however they are authenticated) are
allowed what type of access (if any) to the local system.
