![/!\](/moin_static%40E4F84B22/org-themes/ccwiki/img/alert.png "/!\"){kind=small}
Please note that the following will not work on machines configured to use LDAP.
You will (obviously) need root on the system to do this. You need Kerberos admin privileges only if the user does not have a [user]/root principal.
First make sure the user has a CClub account. See Common Maintenance Tasks/Adding a club account.
Next make sure they have a [user]/root Kerberos principal. If they do not, make it:
kadmin add --random-password --attributes='' [USER]/root
Set the expiration date as appropriate for this user. At least setting it to their expected graduation date is probably wise.
On the system you want to give access to:
First give the user permissions to actually log in. This is done by adding their username to /etc/local_users (one user per line). This will be used by an hourly cronjob to update /etc/passwd. If you are impatient, do:
sh /afs/club/system/scripts/sh/passwd-update.sh
Then give the ksu abilities on the machine. This is done by adding their Kerberos root principal (ie. [user]/root@CLUB.CC.CMU.EDU) to /etc/root-k5login.local. Again, one user per line. An hourly cron job will append the contents of this file to /root/.k5login. If you are impatient, just do it yourself.
cat /etc/root-k5login.local >> /root/.k5login
And that should be it.