list_principals not allowed, acl file not opened?

Marcus Watts mdw at umich.edu
Wed Dec 17 14:28:54 EST 2008


Julius <commercials at gmx.net> writes:
...
> > kadmin -p admin/admin
> > Authenticating as principal admin/admin with password.
> > Password for admin/admin at LOCALDOMAIN.DE: 
> > kadmin:  list_principals
> > get_principals: Operation requires ``list'' privilege while retrieving
> > list.
> > 
> > 
> > strace ./krb5kdc 2>&1 |grep usr          does not list kdc.conf file?
> > 
> > 
> > what is going wrong here?
...

If you're looking for the acl file reference, do strace
on kadmind not on krb5kdc.  If you're looking for the
kdc.conf reference, either krb5kdc or kadmind will work.
In this particular case, krb5kdc should fork before trying
to read kdc.conf, so it would be very surprising
to see kdc.conf in strace's output.  Use strace -f to fix that.
Better yet, I recommend
	strace -f -o /tmp/foo.out ...
then use grep, vi, or other tools on foo.out.  Looking for
"kdc.conf" rather than "/usr" is likely to result in easier
to understand data that is more relevant.
You can also set these environment variables:
	KRB5_CONFIG=/etc/krb5.conf
	KRB5_KDC_PROFILE=/usr/krb5/var/krb5kdc/kdc.conf
at runtime to tell kadmind|krb5kdc exactly what they should read
instead - but you should not need that under ordinary circumstances.
My recollection is that you need to restart kadmind before changes in
the acl file are recognized - past that, I would hate to speculate just
what is going on in your setup.

				-Marcus Watts



More information about the Kerberos mailing list