[14535] in Kerberos
priveleges ignored for instances, part II
daemon@ATHENA.MIT.EDU (Christopher P. Lindsey)
Tue Jun 5 16:49:01 2001
X-Envelope-From: lindsey
X-Envelope-To: kerberos@MIT.EDU
Date: Tue, 5 Jun 2001 15:44:41 -0500
From: "Christopher P. Lindsey" <lindsey@mallorn.com>
To: kerberos@MIT.EDU
Message-ID: <20010605154441.A6290@mallorn.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
About two weeks ago I sent this message, but haven't heard any responses.
If anyone gives specific privileges for certain instances to principals
in their kadm5.acl file under Kerberos 1.2.2, could you please let me
know?
If you don't have this setup but wouldn't mind spending five minutes to
try it out, could you please let me know the outcome?
Thanks,
Chris
----- Forwarded message from "Christopher P. Lindsey" <lindsey@mallorn.com> -----
Date: Fri, 25 May 2001 13:01:40 -0500
From: "Christopher P. Lindsey" <lindsey@mallorn.com>
To: kerberos@MIT.EDU
Subject: privileges ignored for instances?
X-Mailer: Mutt 1.0.1i
I recently sent a message about problems that I was having using keytab
files after an upgrade from 1.0.6 to 1.2.2.
Since I haven't been able to resolve it, I was considering using a
password with kadmin functions instead of a keytab file, i.e.
kadmin -p aisadmin -w xxxxxxxx -q 'listprincs "*/ais@MALLORN.COM"'
This used to work under 1.0.6, but now I get the error
get_principals: Operation requires ``list'' privilege while retrieving list.
However, the kadm5.acl file gives list privileges to the aisadmin user:
aisadmin@MALLORN.COM admcil */ais@MALLORN.COM
If I remove the specific instance and give aisadmin all access (i.e.
aisadmin@MALLORN.COM admcil
or
aisadmin@MALLORN.COM * *
), things work fine (but I don't want to give aisadmin that much power).
Has something changed in 1.2.2 so that instances can't be specified on
the right-hand side? doc/krb5-admin.info-2 seems to indicate that it's
still possible.
Thanks for any help,
Chris
----- End forwarded message -----
