kadmin ignoring target column ?
Laura Smith
n5d9xq3ti233xiyif2vp at protonmail.ch
Sun Jan 12 16:37:42 EST 2020
Sent with ProtonMail Secure Email.
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Sunday, January 12, 2020 7:17 PM, Russ Allbery <eagle at eyrie.org> wrote:
> Laura Smith n5d9xq3ti233xiyif2vp at protonmail.ch writes:
>
> > I am trying to create a suitably restricted user for use with
> > configuration automation (SaltStack ). My line looks like the following:
>
> > saltstack/admin at EXAMPLE.COM ADMCIL nfs/*@EXAMPLE.COM
>
> > I have edited kadm5.acl and restarted kadmind, however list_princs
> > returns a list of all principals, not just nfs/* ?
>
> > If I remove the target column (i.e. saltstack/admin at EXAMPLE.COM ADMCIL)
> > and restart kadmind, then ADMCIL operates as expected (blocks
> > list_princs entirely).
>
> I don't believe the "l" permission supports the target field. I think
> it's all or nothing: either you can list all principals or you can't. The
> man page for kadm5.acl seems to support that:
>
> l [Dis]allows the listing of all principals or policies
>
> ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Russ Allbery (eagle at eyrie.org) https://www.eyrie.org/~eagle/
Hi Russ,
Fair enough, but I can still add/delete principals even with ADMCIL (e.g. I could add test/test, which should not be possible with a nfs/* restriction ?)
More information about the Kerberos
mailing list