[38665] in Kerberos
Re: kadmin ignoring target column ?
daemon@ATHENA.MIT.EDU (Russ Allbery)
Sun Jan 12 14:18:04 2020
From: Russ Allbery <eagle@eyrie.org>
To: Laura Smith <n5d9xq3ti233xiyif2vp@protonmail.ch>
In-Reply-To: <u0YRw6QNODZjvdlkv9Y-uiLN5ACBt1RrqutUG_CDLmnWXTVbz_bSccIXVYb1MvunwaQTn6T_IrrrTdp5GV6J2fZ9p29KerzqpxGmzdF1J_k=@protonmail.ch>
(Laura Smith's message of "Sun, 12 Jan 2020 19:01:11 +0000")
Date: Sun, 12 Jan 2020 11:17:42 -0800
Message-ID: <87ftgk5vs9.fsf@hope.eyrie.org>
MIME-Version: 1.0
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Laura Smith <n5d9xq3ti233xiyif2vp@protonmail.ch> writes:
> I am trying to create a suitably restricted user for use with
> configuration automation (SaltStack ). My line looks like the following:
> saltstack/admin@EXAMPLE.COM ADMCIL nfs/*@EXAMPLE.COM
> I have edited kadm5.acl and restarted kadmind, however list_princs
> returns a list of all principals, not just nfs/* ?
> If I remove the target column (i.e. saltstack/admin@EXAMPLE.COM ADMCIL)
> and restart kadmind, then ADMCIL operates as expected (blocks
> list_princs entirely).
I don't believe the "l" permission supports the target field. I think
it's all or nothing: either you can list all principals or you can't. The
man page for kadm5.acl seems to support that:
l [Dis]allows the listing of all principals or policies
--
Russ Allbery (eagle@eyrie.org) <https://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
