1kadm5.acl(4)                     File Formats                     kadm5.acl(4)
2
3
4

NAME

6       kadm5.acl - Kerberos access control list (ACL) file
7

SYNOPSIS

9       /etc/krb5/kadm5.acl
10
11

DESCRIPTION

13       The  ACL  file  is  used  by the kadmind(1M) command to determine which
14       principals are allowed to perform Kerberos administration actions.  For
15       operations  that  affect  principals,  the ACL file also controls which
16       principals can operate on which other principals. The location  of  the
17       ACL  file  is  determined by the acl_file configuration variable in the
18       kdc.conf(4) file. The default location is /etc/krb5/kadm5.acl.
19
20
21       For incremental propagation, see kadmind(1M). The ACL file must contain
22       the  kiprop  service principal with propagation privileges in order for
23       the slave KDC to pull updates from  the  master's  principal  database.
24       Refer to the EXAMPLES section for this case.
25
26
27       The  ACL file can contain comment lines, null lines, or lines that con‐
28       tain ACL entries. Comment lines start with the pound sign (#) and  con‐
29       tinue until the end of the line.
30
31
32       The order of entries is significant. The first matching entry specifies
33       the principal on which the control access applies,  whether  it  is  on
34       just  the  principal  or  on the principal when it operates on a target
35       principal.
36
37
38       Lines containing ACL entries must have the following format:
39
40         principal operation-mask [operation-target]
41
42
43
44       principal           Specifies the principal on which the operation-mask
45                           applies.  Can  specify  either a partially or fully
46                           qualified Kerberos principal name.  Each  component
47                           of  the  name  can  be substituted with a wildcard,
48                           using the asterisk ( * ) character.
49
50
51       operation-mask      Specifies what operations can  or  cannot  be  per‐
52                           formed  by a principal matching a particular entry.
53                           Specify operation-mask as one or more privileges.
54
55                           A privilege is a string of one or more of the  fol‐
56                           lowing characters: a, A, c, C, d, D, i, I, l, L, m,
57                           M, p, P, u, U, x, or *. Generally, if the character
58                           is  lowercase,  the privilege is allowed and if the
59                           character is uppercase,  the  operation  is  disal‐
60                           lowed. The x and * characters are exceptions to the
61                           uppercase convention.
62
63                           The following privileges are supported:
64
65                           a    Allows the addition of principals or  policies
66                                in the database.
67
68
69                           A    Disallows  the addition of principals or poli‐
70                                cies in the database.
71
72
73                           c    Allows the changing of passwords  for  princi‐
74                                pals in the database.
75
76
77                           C    Disallows  the changing of passwords for prin‐
78                                cipals in the database.
79
80
81                           d    Allows the deletion of principals or  policies
82                                in the database.
83
84
85                           D    Disallows  the deletion of principals or poli‐
86                                cies in the database.
87
88
89                           i    Allows inquiries to the database.
90
91
92                           I    Disallows inquiries to the database.
93
94
95                           l    Allows the listing of principals  or  policies
96                                in the database.
97
98
99                           L    Disallows  the  listing of principals or poli‐
100                                cies in the database.
101
102
103                           m    Allows the modification of principals or poli‐
104                                cies in the database.
105
106
107                           M    Disallows  the  modification  of principals or
108                                policies in the database.
109
110
111                           p    Allow the propagation of the  principal  data‐
112                                base.
113
114
115                           P    Disallow  the  propagation  of  the  principal
116                                database.
117
118
119                           u    Allows  the  creation  of  one-component  user
120                                principals  whose  password  can  be validated
121                                with PAM.
122
123
124                           U    Negates the u privilege.
125
126
127                           x    Short for specifying  privileges  a,  d,m,c,i,
128                                and l. The same as *.
129
130
131                           *    Short  for  specifying  privileges a, d,m,c,i,
132                                and l. The same as x.
133
134
135
136       operation-target    Optional. When specified, the privileges  apply  to
137                           the  principal  when  it operates on the operation-
138                           target. For the operation-target, you can specify a
139                           partially  or  fully  qualified  Kerberos principal
140                           name. Each component of the name can be substituted
141                           by a wildcard, using the asterisk ( * ) character.
142
143

EXAMPLES

145       Example 1 Specifying a Standard, Fully Qualified Name
146
147
148       The following ACL entry specifies a standard, fully qualified name:
149
150
151         user/instance@realm adm
152
153
154
155
156       The  operation-mask  applies  only to the user/instance@realm principal
157       and specifies that the principal can add, delete, or modify  principals
158       and policies, but it cannot change passwords.
159
160
161       Example 2 Specifying a Standard Fully Qualified Name and Target
162
163
164       The following ACL entry specifies a standard, fully qualified name:
165
166
167         user/instance@realm cim service/instance@realm
168
169
170
171
172       The  operation-mask  applies  only to the user/instance@realm principal
173       operating on the service/instance@realm target, and specifies that  the
174       principal  can  change the target's password, request information about
175       the target, and modify it.
176
177
178       Example 3 Specifying a Name Using a Wildcard
179
180
181       The following ACL entry specifies a name using a wildcard:
182
183
184         user/*@realm ac
185
186
187
188
189       The operation-mask applies to all principals in realm realm whose first
190       component  is user and specifies that the principals can add principals
191       and change passwords.
192
193
194       Example 4 Specifying a Name Using a Wildcard and a Target
195
196
197       The following ACL entry specifies a name using a wildcard and a target:
198
199
200         user/*@realm i */instance@realm
201
202
203
204
205       The operation-mask applies to all principals in realm realm whose first
206       component  is  user  and  specifies  that  the  principals  can perform
207       inquiries on principals whose second component is instance and realm is
208       realm.
209
210
211       Example 5 Specifying Incremental Propagation Privileges
212
213
214       The following ACL entry specifies propagation privileges for the kiprop
215       service principal:
216
217
218         kiprop/slavehost@realm p
219
220
221
222       The operation-mask applies to the  kiprop  service  principal  for  the
223       specified  slave host slavehost in realm realm. This specifies that the
224       associated kiprop service principal can receive  incremental  principal
225       updates.
226
227

FILES

229       /etc/krb5/kdc.conf    KDC configuration information.
230
231

ATTRIBUTES

233       See attributes(5) for descriptions of the following attributes:
234
235
236
237
238       ┌─────────────────────────────┬─────────────────────────────┐
239       │      ATTRIBUTE TYPE         │      ATTRIBUTE VALUE        │
240       ├─────────────────────────────┼─────────────────────────────┤
241       │Availability                 │SUNWkdcu                     │
242       ├─────────────────────────────┼─────────────────────────────┤
243       │Interface Stability          │Evolving                     │
244       └─────────────────────────────┴─────────────────────────────┘
245

SEE ALSO

247       kpasswd(1),  gkadmin(1M), kadmind(1M), kadmin.local(1M), kdb5_util(1M),
248       kdc.conf(4), attributes(5), kerberos(5), pam_krb5_migrate(5)
249
250
251
252SunOS 5.11                        26 Apr 2004                     kadm5.acl(4)
Impressum