[14478] in Kerberos
privileges ignored for instances?
daemon@ATHENA.MIT.EDU (Christopher P. Lindsey)
Fri May 25 14:04:17 2001
X-Envelope-From: lindsey
X-Envelope-To: kerberos@MIT.EDU
Date: Fri, 25 May 2001 13:01:40 -0500
From: "Christopher P. Lindsey" <lindsey@mallorn.com>
To: kerberos@MIT.EDU
Message-ID: <20010525130140.E894@mallorn.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
I recently sent a message about problems that I was having using keytab
files after an upgrade from 1.0.6 to 1.2.2.
Since I haven't been able to resolve it, I was considering using a
password with kadmin functions instead of a keytab file, i.e.
kadmin -p aisadmin -w xxxxxxxx -q 'listprincs "*/ais@MALLORN.COM"'
This used to work under 1.0.6, but now I get the error
get_principals: Operation requires ``list'' privilege while retrieving list.
However, the kadm5.acl file gives list privileges to the aisadmin user:
aisadmin@MALLORN.COM admcil */ais@MALLORN.COM
If I remove the specific instance and give aisadmin all access (i.e.
aisadmin@MALLORN.COM admcil
or
aisadmin@MALLORN.COM * *
), things work fine (but I don't want to give aisadmin that much power).
Has something changed in 1.2.2 so that instances can't be specified on
the right-hand side? doc/krb5-admin.info-2 seems to indicate that it's
still possible.
Thanks for any help,
Chris
