System Administration Guide: Security Services

ProcedureHow to Modify the Kerberos Administration Privileges

Even though your site probably has many user principals, you usually want only a few users to be able to administer the Kerberos database. Privileges to administer the Kerberos database are determined by the Kerberos access control list (ACL) file, kadm5.acl. The kadm5.acl file enables you to allow or disallow privileges for individual principals. Or, you can use the '*' wildcard in the principal name to specify privileges for groups of principals.

  1. Become superuser on the master KDC.

  2. Edit the /etc/krb5/kadm5.acl file.

    An entry in the kadm5.acl file must have the following format:

    principal privileges [principal-target]


    Specifies the principal to which the privileges are granted. Any part of the principal name can include the '*' wildcard, which is useful for providing the same privileges for a group of principals. For example, if you want to specify all principals with the admin instance, you would use */admin@realm.

    Note that a common use of an admin instance is to grant separate privileges (such as administration access to the Kerberos database) to a separate Kerberos principal. For example, the user jdb might have a principal for his administrative use, called jdb/admin. This way, the user jdb obtains jdb/admin tickets only when he or she actually needs to use those privileges.


    Specifies which operations can or cannot be performed by the principal. This field consists of a string of one or more of the following list of characters or their uppercase counterparts. If the character is uppercase (or not specified), then the operation is disallowed. If the character is lowercase, then the operation is permitted. 



    [Dis]allows the addition of principals or policies. 



    [Dis]allows the deletion of principals or policies. 



    [Dis]allows the modification of principals or polices. 



    [Dis]allows the changing of passwords for principals. 



    [Dis]allows inquiries to the Kerberos database. 



    [Dis]allows the listing of principals or policies in the Kerberos database. 


    x or *

    Allows all privileges (admcil).


    When a principal is specified in this field, the privileges apply to the principal only when the principal operates on the principal-target. Any part of the principal name can include the '*' wildcard, which is useful to group principals.

Example 25–8 Modifying the Kerberos Administration Privileges

The following entry in the kadm5.acl file gives any principal in the EXAMPLE.COM realm with the admin instance all the privileges on the Kerberos database:

*/admin@EXAMPLE.COM *

The following entry in the kadm5.acl file gives the jdb@EXAMPLE.COM principal the privileges to add, list, and inquire about any principal that has the root instance.