1kadm5.acl(4) File Formats kadm5.acl(4)
2
3
4
6 kadm5.acl - Kerberos access control list (ACL) file
7
9 /etc/krb5/kadm5.acl
10
11
13 The ACL file is used by the kadmind(1M) command to determine which
14 principals are allowed to perform Kerberos administration actions. For
15 operations that affect principals, the ACL file also controls which
16 principals can operate on which other principals. The location of the
17 ACL file is determined by the acl_file configuration variable in the
18 kdc.conf(4) file. The default location is /etc/krb5/kadm5.acl.
19
20
21 For incremental propagation, see kadmind(1M). The ACL file must contain
22 the kiprop service principal with propagation privileges in order for
23 the slave KDC to pull updates from the master's principal database.
24 Refer to the EXAMPLES section for this case.
25
26
27 The ACL file can contain comment lines, null lines, or lines that con‐
28 tain ACL entries. Comment lines start with the pound sign (#) and con‐
29 tinue until the end of the line.
30
31
32 The order of entries is significant. The first matching entry specifies
33 the principal on which the control access applies, whether it is on
34 just the principal or on the principal when it operates on a target
35 principal.
36
37
38 Lines containing ACL entries must have the following format:
39
40 principal operation-mask [operation-target]
41
42
43
44 principal Specifies the principal on which the operation-mask
45 applies. Can specify either a partially or fully
46 qualified Kerberos principal name. Each component
47 of the name can be substituted with a wildcard,
48 using the asterisk ( * ) character.
49
50
51 operation-mask Specifies what operations can or cannot be per‐
52 formed by a principal matching a particular entry.
53 Specify operation-mask as one or more privileges.
54
55 A privilege is a string of one or more of the fol‐
56 lowing characters: a, A, c, C, d, D, i, I, l, L, m,
57 M, p, P, u, U, x, or *. Generally, if the character
58 is lowercase, the privilege is allowed and if the
59 character is uppercase, the operation is disal‐
60 lowed. The x and * characters are exceptions to the
61 uppercase convention.
62
63 The following privileges are supported:
64
65 a Allows the addition of principals or policies
66 in the database.
67
68
69 A Disallows the addition of principals or poli‐
70 cies in the database.
71
72
73 c Allows the changing of passwords for princi‐
74 pals in the database.
75
76
77 C Disallows the changing of passwords for prin‐
78 cipals in the database.
79
80
81 d Allows the deletion of principals or policies
82 in the database.
83
84
85 D Disallows the deletion of principals or poli‐
86 cies in the database.
87
88
89 i Allows inquiries to the database.
90
91
92 I Disallows inquiries to the database.
93
94
95 l Allows the listing of principals or policies
96 in the database.
97
98
99 L Disallows the listing of principals or poli‐
100 cies in the database.
101
102
103 m Allows the modification of principals or poli‐
104 cies in the database.
105
106
107 M Disallows the modification of principals or
108 policies in the database.
109
110
111 p Allow the propagation of the principal data‐
112 base.
113
114
115 P Disallow the propagation of the principal
116 database.
117
118
119 u Allows the creation of one-component user
120 principals whose password can be validated
121 with PAM.
122
123
124 U Negates the u privilege.
125
126
127 x Short for specifying privileges a, d,m,c,i,
128 and l. The same as *.
129
130
131 * Short for specifying privileges a, d,m,c,i,
132 and l. The same as x.
133
134
135
136 operation-target Optional. When specified, the privileges apply to
137 the principal when it operates on the operation-
138 target. For the operation-target, you can specify a
139 partially or fully qualified Kerberos principal
140 name. Each component of the name can be substituted
141 by a wildcard, using the asterisk ( * ) character.
142
143
145 Example 1 Specifying a Standard, Fully Qualified Name
146
147
148 The following ACL entry specifies a standard, fully qualified name:
149
150
151 user/instance@realm adm
152
153
154
155
156 The operation-mask applies only to the user/instance@realm principal
157 and specifies that the principal can add, delete, or modify principals
158 and policies, but it cannot change passwords.
159
160
161 Example 2 Specifying a Standard Fully Qualified Name and Target
162
163
164 The following ACL entry specifies a standard, fully qualified name:
165
166
167 user/instance@realm cim service/instance@realm
168
169
170
171
172 The operation-mask applies only to the user/instance@realm principal
173 operating on the service/instance@realm target, and specifies that the
174 principal can change the target's password, request information about
175 the target, and modify it.
176
177
178 Example 3 Specifying a Name Using a Wildcard
179
180
181 The following ACL entry specifies a name using a wildcard:
182
183
184 user/*@realm ac
185
186
187
188
189 The operation-mask applies to all principals in realm realm whose first
190 component is user and specifies that the principals can add principals
191 and change passwords.
192
193
194 Example 4 Specifying a Name Using a Wildcard and a Target
195
196
197 The following ACL entry specifies a name using a wildcard and a target:
198
199
200 user/*@realm i */instance@realm
201
202
203
204
205 The operation-mask applies to all principals in realm realm whose first
206 component is user and specifies that the principals can perform
207 inquiries on principals whose second component is instance and realm is
208 realm.
209
210
211 Example 5 Specifying Incremental Propagation Privileges
212
213
214 The following ACL entry specifies propagation privileges for the kiprop
215 service principal:
216
217
218 kiprop/slavehost@realm p
219
220
221
222 The operation-mask applies to the kiprop service principal for the
223 specified slave host slavehost in realm realm. This specifies that the
224 associated kiprop service principal can receive incremental principal
225 updates.
226
227
229 /etc/krb5/kdc.conf KDC configuration information.
230
231
233 See attributes(5) for descriptions of the following attributes:
234
235
236
237
238 ┌─────────────────────────────┬─────────────────────────────┐
239 │ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
240 ├─────────────────────────────┼─────────────────────────────┤
241 │Availability │SUNWkdcu │
242 ├─────────────────────────────┼─────────────────────────────┤
243 │Interface Stability │Evolving │
244 └─────────────────────────────┴─────────────────────────────┘
245
247 kpasswd(1), gkadmin(1M), kadmind(1M), kadmin.local(1M), kdb5_util(1M),
248 kdc.conf(4), attributes(5), kerberos(5), pam_krb5_migrate(5)
249
250
251
252SunOS 5.11 26 Apr 2004 kadm5.acl(4)