Wallet: a few questions on ACLs (and other animals)
Jan-Piet Mens
jpmens.dns at gmail.com
Thu Jun 14 08:29:29 EDT 2012
Hello,
I'm *really* liking Wallet (v0.12), but have a few questions, mainly
regarding ACLs and their use. I hope you can help me. Here goes:
1. I'm unsure of the order in which wallet commands are issued. In order
to create and then obtain (i.e. `get') a keytab I seem to have to
issue the following commands from a client:
wallet create keytab nfs/a.net
wallet owner keytab nfs/a.net ADMIN
wallet -f /tmp/keytab get keytab nfs/a.net
If that is so, why do I have to explictly set the owner after it's
created?
2. Is there some method of setting an owner on (newly created) objects
automatically? The documentation states:
With some backends, this will trigger creation of an entry in an
external system as well. The new object will have no ACLs and
no owner set, so usually the administrator will want to then set
an owner with "owner" so that the object will be usable.
Phrased differently, is there a best practice to obtain a host keytab
for a machine that is deployed automatically?
3. The 'comment' command, while documented in wallet(1) isn't
implemented in 0.12 (haven't tried latest Git repo yet)
$ wallet comment file m1
wallet: uknown command comment
4. doc: wallet(1) says the `owner' command will print the NAME of an
ACL. It prints its number.
5. How can I set an object to be read-only? For example, I want to
create a `file' object writeable by an administrator but readable by
certain principals only.
6. getattr/setattr: what are the names of the <attr>ibutes? Are these
the attributes mentioned in, say, Wallet::Object::Keytab? If I
call
wallet getattr keytab nfs/a.net enctypes
nothing is printed.
7. config: I can specify wallet = {} options in krb5.config. May I
specify more than one Wallet server (to implement failover)?
Related: Is it possible to configure the wallet servername via a DNS
SRV/TXT record? (Haven't checked the source code -- sorry.)
That'll be all. For the moment. ;-)
Regards,
-JP
More information about the Kerberos
mailing list