kadm5.acl - Kerberos access control list (ACL) file
/etc/krb5/kadm5.acl
The ACL file is used by the kadmind(1M) command to determine which principals are allowed to perform Kerberos administration actions. For operations that affect principals, the ACL file also controls which principals can operate on which other principals. The location of the ACL file is determined by the acl_file configuration variable in the kdc.conf(4) file. The default location is /etc/krb5/kadm5.acl.
For incremental propagation, see kadmind(1M). The ACL file must contain the kiprop service principal with propagation privileges in order for the slave KDC to pull updates from the master's principal database. Refer to the EXAMPLES section for this case.
The ACL file can contain comment lines, null lines, or lines that contain ACL entries. Comment lines start with the pound sign (#) and continue until the end of the line.
The order of entries is significant. The first matching entry specifies the principal on which the control access applies, whether it is on just the principal or on the principal when it operates on a target principal.
Lines containing ACL entries must have the following format:
principal operation-mask [operation-target]
principal
operation-mask
A privilege is a string of one or more of the following characters: a, A, c, C, d, D, i, I, l, L, m, M, p, P, u, U, x, or *. Generally, if the character is lowercase, the privilege is allowed and if the character is uppercase, the operation is disallowed. The x and * characters are exceptions to the uppercase convention.
The following privileges are supported:
a
A
c
C
d
D
i
I
l
L
m
M
p
P
u
U
x
*
operation-target
Example 1 Specifying a Standard, Fully Qualified Name
The following ACL entry specifies a standard, fully qualified name:
user/instance@realm adm
The operation-mask applies only to the user/instance@realm principal and specifies that the principal can add, delete, or modify principals and policies, but it cannot change passwords.
Example 2 Specifying a Standard Fully Qualified Name and Target
The following ACL entry specifies a standard, fully qualified name:
user/instance@realm cim service/instance@realm
The operation-mask applies only to the user/instance@realm principal operating on the service/instance@realm target, and specifies that the principal can change the target's password, request information about the target, and modify it.
Example 3 Specifying a Name Using a Wildcard
The following ACL entry specifies a name using a wildcard:
user/*@realm ac
The operation-mask applies to all principals in realm realm whose first component is user and specifies that the principals can add principals and change passwords.
Example 4 Specifying a Name Using a Wildcard and a Target
The following ACL entry specifies a name using a wildcard and a target:
user/*@realm i */instance@realm
The operation-mask applies to all principals in realm realm whose first component is user and specifies that the principals can perform inquiries on principals whose second component is instance and realm is realm.
Example 5 Specifying Incremental Propagation Privileges
The following ACL entry specifies propagation privileges for the kiprop service principal:
kiprop/slavehost@realm p
The operation-mask applies to the kiprop service principal for the specified slave host slavehost in realm realm. This specifies that the associated kiprop service principal can receive incremental principal updates.
/etc/krb5/kdc.conf
See attributes(5) for descriptions of the following attributes:
|
kpasswd(1), gkadmin(1M), kadmind(1M), kadmin.local(1M), kdb5_util(1M), kdc.conf(4), attributes(5), kerberos(5), pam_krb5_migrate(5)
Закладки на сайте Проследить за страницей |
Created 1996-2024 by Maxim Chirkov Добавить, Поддержать, Вебмастеру |