test

Sun Enterprise Authentication Mechanism Guide

How to Modify the Kerberos Administration Privileges

Even though your site probably has a lot of user principals, you usually want only a few users to be able to administer the Kerberos database. Privileges to administer the Kerberos database are determined by the Kerberos Access Control List (ACL) file, kadm5.acl(4). The kadm5.acl file enables you to allow or disallow privileges for individual principals, or you can use the '*' wildcard in the principal name to specify privileges for groups of principals.

  1. Become superuser on the master KDC.

  2. Edit the /etc/krb5/kadm5.acl file.

    An entry in the kadm5.acl file must have the following format:


    principal   privileges  [principal_target]

    principal

    The principal to which the privileges are granted. Any part of the principal name can include the '*' wildcard, which is useful for providing the same privileges for a group of principals. For example, if you wanted to specify all principals with the admin instance, you would use */admin@realm. Note that a common use of an admin instance is to grant separate privileges (such as administration access to the Kerberos database) to a separate Kerberos principal. For example, the user jdb might have a principal for his administrative use, called jdb/admin. This way, jdb obtains jdb/admin tickets only when he actually needs to use those privileges.

    privileges

    Specifies what operations can or cannot be performed by the principal. This is a string of one or more of the following list of characters or their uppercase counterparts. If the character is uppercase (or not specified), then the operation is disallowed. If the character is lowercase, then the operation is permitted. 

     

    a

    [Dis]allows the addition of principals or policies. 

     

    d

    [Dis]allows the deletion of principals or policies. 

     

    m

    [Dis]allows the modification of principals or polices. 

     

    c

    [Dis]allows the changing of passwords for principals. 

     

    i

    [Dis]allows inquiries to the database. 

     

    l

    [Dis]allows the listing of principals or policies in the database. 

     

    x or *

    Allows all privileges (admcil).

    principal_target

    When a principal is specified in this field, the privileges apply to principal only when it operates on the principal_target. Any part of the principal name can include the '*' wildcard, which is useful to group principals.

Example--Modifying the Kerberos Administration Privileges

The following entry in the kadm5.acl file gives any principal in the ACME.COM realm with the admin instance all the privileges on the database.


*/admin@ACME.COM *

The following entry in the kadm5.acl file gives the jdb@ACME.COM principal the priviledge to add, list, and inquire about any principal that has the root instance.


jdb@ACME.COM ali */root@ACME.COM