KADM5.ACL(5) File Formats and Configurations KADM5.ACL(5)
NAME
kadm5.acl - Kerberos access control list (ACL) file
SYNOPSIS
/etc/krb5/kadm5.aclDESCRIPTION
The
ACL file is used by the
kadmind(8) command to determine which
principals are allowed to perform Kerberos administration actions.
For operations that affect principals, the
ACL file also controls
which principals can operate on which other principals. The location
of the
ACL file is determined by the
acl_file configuration variable
in the
kdc.conf(5) file. The default location is
/etc/krb5/kadm5.acl.
For incremental propagation, see
kadmind(8). The ACL file must
contain the
kiprop service principal with propagation privileges in
order for the slave KDC to pull updates from the master's principal
database. Refer to the EXAMPLES section for this case.
The
ACL file can contain comment lines, null lines, or lines that
contain
ACL entries. Comment lines start with the pound sign (
#) and
continue until the end of the line.
The order of entries is significant. The first matching entry
specifies the principal on which the control access applies, whether
it is on just the principal or on the principal when it operates on a
target principal.
Lines containing
ACL entries must have the following format:
principal operation-mask [
operation-target]
principal Specifies the principal on which the
operation- mask applies. Can specify either a partially or
fully qualified Kerberos principal name. Each
component of the name can be substituted with a
wildcard, using the asterisk (
* ) character.
operation-mask Specifies what operations can or cannot be
performed by a principal matching a particular
entry. Specify
operation-mask as one or more
privileges.
A
privilege is a string of one or more of the
following characters:
a,
A,
c,
C,
d,
D,
i,
I,
l,
L,
m,
M,
p,
P,
u,
U,
x, or
*. Generally, if the
character is lowercase, the privilege is allowed
and if the character is uppercase, the operation
is disallowed. The
x and
* characters are
exceptions to the uppercase convention.
The following
privileges are supported:
a Allows the addition of principals or
policies in the database.
A Disallows the addition of principals or
policies in the database.
c Allows the changing of passwords for
principals in the database.
C Disallows the changing of passwords for
principals in the database.
d Allows the deletion of principals or
policies in the database.
D Disallows the deletion of principals or
policies in the database.
i Allows inquiries to the database.
I Disallows inquiries to the database.
l Allows the listing of principals or policies
in the database.
L Disallows the listing of principals or
policies in the database.
m Allows the modification of principals or
policies in the database.
M Disallows the modification of principals or
policies in the database.
p Allow the propagation of the principal
database.
P Disallow the propagation of the principal
database.
u Allows the creation of one-component user
principals whose password can be validated
with PAM.
U Negates the
u privilege.
x Short for specifying privileges
a,
d,
m,
c,
i,
and
l. The same as
*.
* Short for specifying privileges
a,
d,
m,
c,
i,
and
l. The same as
x.
operation-target Optional. When specified, the
privileges apply to
the
principal when it operates on the
operation- target. For the
operation-target, you can specify
a partially or fully qualified Kerberos principal
name. Each component of the name can be
substituted by a wildcard, using the asterisk (
* ) character.
EXAMPLES
Example 1: Specifying a Standard, Fully Qualified Name
The following ACL entry specifies a standard, fully qualified name:
user/instance@realm adm
The
operation-mask applies only to the
user/instance@realm principal
and specifies that the principal can add, delete, or modify
principals and policies, but it cannot change passwords.
Example 2: Specifying a Standard Fully Qualified Name and Target
The following ACL entry specifies a standard, fully qualified name:
user/instance@realm cim service/instance@realm
The
operation-mask applies only to the
user/instance@realm principal
operating on the
service/instance@realm target, and specifies that
the principal can change the target's password, request information
about the target, and modify it.
Example 3: Specifying a Name Using a Wildcard
The following ACL entry specifies a name using a wildcard:
user/*@realm ac
The
operation-mask applies to all principals in realm
realm whose
first component is
user and specifies that the principals can add
principals and change passwords.
Example 4: Specifying a Name Using a Wildcard and a Target
The following ACL entry specifies a name using a wildcard and a
target:
user/*@realm i */instance@realm
The
operation-mask applies to all principals in realm
realm whose
first component is
user and specifies that the principals can perform
inquiries on principals whose second component is
instance and realm
is
realm.
Example 5: Specifying Incremental Propagation Privileges
The following ACL entry specifies propagation privileges for the
kiprop service principal:
kiprop/slavehost@realm p
The operation-mask applies to the
kiprop service principal for the
specified slave host
slavehost in realm
realm. This specifies that
the associated
kiprop service principal can receive incremental
principal updates.
FILES
/etc/krb5/kdc.conf KDC configuration information.
ATTRIBUTES
See
attributes(7) for descriptions of the following attributes:
+--------------------+-----------------+
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
+--------------------+-----------------+
|Interface Stability | Evolving |
+--------------------+-----------------+
SEE ALSO
kpasswd(1),
kdc.conf(5),
attributes(7),
kerberos(7),
pam_krb5_migrate(7),
kadmin.local(8),
kadmind(8),
kdb5_util(8) October 29, 2015 KADM5.ACL(5)
