kadmin ignoring target column ?
Russ Allbery
eagle at eyrie.org
Sun Jan 12 14:17:42 EST 2020
Laura Smith <n5d9xq3ti233xiyif2vp at protonmail.ch> writes:
> I am trying to create a suitably restricted user for use with
> configuration automation (SaltStack ). My line looks like the following:
> saltstack/admin at EXAMPLE.COM ADMCIL nfs/*@EXAMPLE.COM
> I have edited kadm5.acl and restarted kadmind, however list_princs
> returns a list of all principals, not just nfs/* ?
> If I remove the target column (i.e. saltstack/admin at EXAMPLE.COM ADMCIL)
> and restart kadmind, then ADMCIL operates as expected (blocks
> list_princs entirely).
I don't believe the "l" permission supports the target field. I think
it's all or nothing: either you can list all principals or you can't. The
man page for kadm5.acl seems to support that:
l [Dis]allows the listing of all principals or policies
--
Russ Allbery (eagle at eyrie.org) <https://www.eyrie.org/~eagle/>
More information about the Kerberos
mailing list