Wallet: a few questions on ACLs (and other animals)

Jan-Piet Mens jpmens.dns at gmail.com
Thu Jun 14 08:29:29 EDT 2012


I'm *really* liking Wallet (v0.12), but have a few questions, mainly
regarding ACLs and their use. I hope you can help me. Here goes:

1. I'm unsure of the order in which wallet commands are issued. In order
   to create and then obtain (i.e. `get') a keytab I seem to have to
   issue the following commands from a client:

        wallet create keytab nfs/a.net
        wallet owner keytab nfs/a.net ADMIN
        wallet -f /tmp/keytab get keytab nfs/a.net

   If that is so, why do I have to explictly set the owner after it's

2. Is there some method of setting an owner on (newly created) objects
   automatically? The documentation states:

        With some backends, this will trigger creation of an entry in an
        external system as well.  The new object will have no ACLs and
        no owner set, so usually the administrator will want to then set
        an owner with "owner" so that the object will be usable.

   Phrased differently, is there a best practice to obtain a host keytab
   for a machine that is deployed automatically?

3. The 'comment' command, while documented in wallet(1) isn't
   implemented in 0.12 (haven't tried latest Git repo yet)

        $ wallet comment file m1
        wallet: uknown command comment

4. doc: wallet(1) says the `owner' command will print the NAME of an
   ACL. It prints its number.

5. How can I set an object to be read-only? For example, I want to
   create a `file' object writeable by an administrator but readable by
   certain principals only.

6. getattr/setattr: what are the names of the <attr>ibutes? Are these
   the attributes mentioned in, say, Wallet::Object::Keytab? If I

        wallet getattr keytab nfs/a.net enctypes

   nothing is printed.

7. config: I can specify wallet = {} options in krb5.config. May I
   specify more than one Wallet server (to implement failover)?

   Related: Is it possible to configure the wallet servername via a DNS
   SRV/TXT record?  (Haven't checked the source code -- sorry.)

That'll be all. For the moment. ;-)



More information about the Kerberos mailing list