The few users who are privileged to administer the Kerberos database are specified in the Kerberos access control list (ACL). This list is maintained as entries in a file, /etc/krb5/kadm5.acl. For more information, see the kadm5.acl(4) man page.
To add entries to the kadm5.acl file, use the pfedit command.
# pfedit /usr/krb5/kadm5.acl
An entry in the kadm5.acl file has the following format:
principal privileges [principal-target]
principal – Specifies the principal to which the privileges are granted. Any part of the principal name can include the '*' wildcard, which is useful for providing the same privileges for a group of principals. For example, if you want to specify all principals with the admin instance, you would use */admin@realm.
Note that a common use of an admin instance is to grant separate privileges (such as administrative access to the Kerberos database) to a separate Kerberos principal. For example, the user jdb might have a principal for administrative use, called jdb/admin. By having two principals, the user jdb obtains jdb/admin tickets only when administrative privileges are required.
privileges – Specifies which operations can be performed by the principal. This field consists of a string of one or more of the following list of characters. If the character is uppercase or unspecified, then the operation is disallowed. If the character is lowercase, then the operation is allowed.
[A]a – [Dis]allows the addition of principals or policies.
[C]c – [Dis]allows the changing of passwords for principals.
[D]d – [Dis]allows the deletion of principals or policies.
[I]i – [Dis]allows inquiries to the Kerberos database.
[L]l – [Dis]allows the listing of principals or policies.
[M]m – [Dis]allows the modification of principals or policies.
x or * – Allows all privileges (admcil).
principal-target – When a principal is specified in this field, the principal's privileges apply to this principal only. To assign privileges to a group of principals, use the '*' wildcard in principal-target.
The following entry in the kadm5.acl file gives any principal in the EXAMPLE.COM realm with the admin instance all the privileges on the Kerberos database:
The following entry in the kadm5.acl file gives the jdb@EXAMPLE.COM principal the privileges to list and inquire about any principal that has the root instance.
jdb@EXAMPLE.COM li */root@EXAMPLE.COM