[38670] in Kerberos
Re: kadmin ignoring target column ?
daemon@ATHENA.MIT.EDU (Laura Smith)
Mon Jan 13 03:45:05 2020
Date: Mon, 13 Jan 2020 08:44:42 +0000
To: Greg Hudson <ghudson@mit.edu>
From: Laura Smith <n5d9xq3ti233xiyif2vp@protonmail.ch>
Message-ID: <FiT1mVCBUdyTiFD2gaIHStn5I8rkUq5DHd-xHQ3xkW_3H7J5mokt72teQeWojs4KD2IgfEgzlFrG_9b3bDgZnqZHCozNoFyQqXW0z_5MNvc=@protonmail.ch>
In-Reply-To: <91d0a130-b02a-9207-5c39-f24fbb4251a1@mit.edu>
MIME-Version: 1.0
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Reply-To: Laura Smith <n5d9xq3ti233xiyif2vp@protonmail.ch>
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Sent with ProtonMail Secure Email.
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Sunday, January 12, 2020 10:48 PM, Greg Hudson <ghudson@mit.edu> wrote:
> On 1/12/20 2:01 PM, Laura Smith wrote:
>
> Since all of the permission bits are in uppercase, that line should
> grant no permissions to saltstack/admin. When I test with a similar
> line it doesn't appear to grant add permissions for any principals. Is
> there a previous line that matches the client saltstack/admin, and
> grants full add permissions? kadmind stops when it finds the first ACL
> line matching the client and target; it doesn't continue on to look for
> a more specific match.
Am aware of the list ordering requirement, and to that extent the ACL entry in question was quite deliberately placed at the top.
>
> With the current sources, if I do "make testrealm" and then change the
> first line of testdir/acl to read:
>
> user/admin@KRBTEST.COM admcil nfs/@KRBTEST.COM
> then I get the expected results for user/admin:
> kadmin: listprincs
> get_principals: Operation requires `list'' privilege while retrieving list. kadmin: addprinc -pw pw nfs/test No policy specified for nfs/test@KRBTEST.COM; defaulting to no policy Principal "nfs/test@KRBTEST.COM" created. kadmin: addprinc -pw pw test/test No policy specified for test/test@KRBTEST.COM; defaulting to no policy add_principal: Operation requires`add'' privilege while creating
> "test/test@KRBTEST.COM".
> (It turns out that operations with no target principal, including
> listprincs, fail if there is any target pattern for the entry besides
> "". This isn't really documented.)
>
admcil nfs/@KRBTEST.COM, are you saying I should not be putting the wildcard asterisk after nfs/ ?
> Also, what version of krb5 is running on the KDC? The kadmind ACL code
> changed substantially in 1.16 (though it shouldn't have affected this
> behavior), so if you're running an earlier version than that I might be
> able to re-test with older code.
Running 1.17 on Alpine Linux 3.10.3
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
