LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 01-09-2016, 09:39 AM   #1
bob4
LQ Newbie
 
Registered: Jan 2016
Posts: 1

Rep: Reputation: Disabled
Assigning restricted admin role


Is it possible to give a user restricted administrative rights to only unlock other user accounts that get locked out? If so, how is this done?
 
Old 01-09-2016, 10:08 AM   #2
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 4,843

Rep: Reputation: 1472Reputation: 1472Reputation: 1472Reputation: 1472Reputation: 1472Reputation: 1472Reputation: 1472Reputation: 1472Reputation: 1472Reputation: 1472
IT can depend on a number of things - mostly how the user accounts are administered. There is NIS, LDAP, Kerberos + LDAP/NIS, local accounts only...

In some cases, a program specifically designed to just unlock a specific class of accounts (determined by UID? or whatever) can be accessed via sudo, which can have the specific command option limited to specific users.

In other cases, it requires access to remote databases... and the database support itself may be able to provide subsets.

It also depends on whether that same user is also supposed to be able to change the password (a locked account is just a flag... and clearing it doesn't necessarily change the password, and changing a password doesn't necessarily unlock the account).

So "how is this done" has lots of different answers.
 
Old 01-09-2016, 10:17 AM   #3
Ztcoracat
LQ Guru
 
Registered: Dec 2011
Distribution: Slackware, MX 18
Posts: 9,484
Blog Entries: 15

Rep: Reputation: 1162Reputation: 1162Reputation: 1162Reputation: 1162Reputation: 1162Reputation: 1162Reputation: 1162Reputation: 1162Reputation: 1162
Hi & Welcome to Linux Questions.


AFAIK only the Administrator (root user) can do that.
http://www.cyberciti.biz/faq/linux-locking-an-account/

The Administrator can also give other users Read, Write and Executable permissions and Configure a user account to use a restricted shell.

http://www.cyberciti.biz/tips/linux-...with-rssh.html

Is the account locked due to several failed log in attempts?
If so see here:

http://superuser.com/questions/58921...x-user-account
http://sharadchhetri.com/2013/12/13/...ount-in-linux/
 
Old 01-09-2016, 10:23 AM   #4
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 4,843

Rep: Reputation: 1472Reputation: 1472Reputation: 1472Reputation: 1472Reputation: 1472Reputation: 1472Reputation: 1472Reputation: 1472Reputation: 1472Reputation: 1472
Quote:
Originally Posted by Ztcoracat View Post
Hi & Welcome to Linux Questions.


AFAIK only the Administrator (root user) can do that.
http://www.cyberciti.biz/faq/linux-locking-an-account/
It is possible for root to delegate that. A number of user administration tools are around. The problem is that there are a number of ways user accounts can be setup - some local, most are remote.

Kerberos has ways of locking user accounts - and being able to manipulate the kerberos database is one of the ways to do that - using various kerberos privilege flags to do so.
 
Old 01-09-2016, 10:40 AM   #5
Ztcoracat
LQ Guru
 
Registered: Dec 2011
Distribution: Slackware, MX 18
Posts: 9,484
Blog Entries: 15

Rep: Reputation: 1162Reputation: 1162Reputation: 1162Reputation: 1162Reputation: 1162Reputation: 1162Reputation: 1162Reputation: 1162Reputation: 1162
Thanks jpollard-

I found the documentation on Kerberos on the RH website.
https://access.redhat.com/documentat..._Kerberos.html

Is the local user generally on the client?
 
Old 01-09-2016, 01:23 PM   #6
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 4,843

Rep: Reputation: 1472Reputation: 1472Reputation: 1472Reputation: 1472Reputation: 1472Reputation: 1472Reputation: 1472Reputation: 1472Reputation: 1472Reputation: 1472
Not necessarily.

A user may obtain credentials on an untrusted system with kerberos clients... The credentials have a limited lifetime, usually 8 to 10 hours (as decided by the KDC administrators). That untrusted system will have its own login requirements.

A trusted system will require the use to obtain credentials during a login. The basic procedure is that the login tool performs a kinit to obtain user credentials, then it uses those credentials to obtain a service ticket for the trusted system. It then uses the host credential already present on the trusted system to validate the credential. After the service credential is validated, the user is then authorized by the system using what methods it has been configured. "what methods" can be the basic UNIX authorization (user account exists, authorized storage access, and any local time restrictions), or remote (LDAP/NIS/... record exists, users storage matches and exists...). It roughly corresponds to an AD login in windows.

One of the things that is possible is that the users credentials may be accepted by servers for different periods.

One of the places I worked had the servers configured to only accept user credentials if they were less than 15 minutes old if the connection was from an "untrusted" network. "untrusted" here means a network not under control by the administrators (they could just reject the credentials entirely... but a lot of the users were remote, and the network those users were on happened to be educational, or home networks - thus "untrusted"). If the credential was from a trusted client then the credential would be given 10 hours. If the credential came from an internal server, it might be trusted for 24 hours.

After the "trust" period had expired, the user is locked out until they obtain new credentials.

Trust of a client involved giving that client system a host keytab, and that required the client to be managed/controlled by the organization issuing the keytab. Thus servers within the site were trusted, but that trust could also be given to workstations also managed by the site.

Last edited by jpollard; 01-09-2016 at 01:33 PM.
 
1 members found this post helpful.
Old 01-09-2016, 07:02 PM   #7
Ztcoracat
LQ Guru
 
Registered: Dec 2011
Distribution: Slackware, MX 18
Posts: 9,484
Blog Entries: 15

Rep: Reputation: 1162Reputation: 1162Reputation: 1162Reputation: 1162Reputation: 1162Reputation: 1162Reputation: 1162Reputation: 1162Reputation: 1162
Quote:
Originally Posted by jpollard View Post
Not necessarily.

A user may obtain credentials on an untrusted system with kerberos clients... The credentials have a limited lifetime, usually 8 to 10 hours (as decided by the KDC administrators). That untrusted system will have its own login requirements.

A trusted system will require the use to obtain credentials during a login. The basic procedure is that the login tool performs a kinit to obtain user credentials, then it uses those credentials to obtain a service ticket for the trusted system. It then uses the host credential already present on the trusted system to validate the credential. After the service credential is validated, the user is then authorized by the system using what methods it has been configured. "what methods" can be the basic UNIX authorization (user account exists, authorized storage access, and any local time restrictions), or remote (LDAP/NIS/... record exists, users storage matches and exists...). It roughly corresponds to an AD login in windows.

One of the things that is possible is that the users credentials may be accepted by servers for different periods.

One of the places I worked had the servers configured to only accept user credentials if they were less than 15 minutes old if the connection was from an "untrusted" network. "untrusted" here means a network not under control by the administrators (they could just reject the credentials entirely... but a lot of the users were remote, and the network those users were on happened to be educational, or home networks - thus "untrusted"). If the credential was from a trusted client then the credential would be given 10 hours. If the credential came from an internal server, it might be trusted for 24 hours.

After the "trust" period had expired, the user is locked out until they obtain new credentials.

Trust of a client involved giving that client system a host keytab, and that required the client to be managed/controlled by the organization issuing the keytab. Thus servers within the site were trusted, but that trust could also be given to workstations also managed by the site.
Good information:-
I'll have to read the Documentation to understand the details fully; Thanks.

bob4:
Are you on a server for the Enterprise?

If so you should utilize jpollard council and consider using Kerberos.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Change kerberos admin password (Kinit admin) integrated with IPA ardee3949 Linux - Security 1 06-19-2015 02:00 PM
LXer: Meet your new network admin: The Linux admin (and vice versa) LXer Syndicated Linux News 0 10-22-2013 12:32 AM
Where do I find a System Admin role in the UK? FirstClarity LinuxQuestions.org Member Intro 0 10-09-2012 05:53 AM
Junior linux admin role -- few questions paperbag Linux - General 28 10-17-2008 05:12 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 08:34 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration