kadm5.acl(4) File Formats kadm5.acl(4)NAMEkadm5.acl - Kerberos access control list (ACL) file
SYNOPSIS
/etc/krb5/kadm5.acl
DESCRIPTION
The ACL file is used by the kadmind(1M) command to determine which
principals are allowed to perform Kerberos administration actions. For
operations that affect principals, the ACL file also controls which
principals can operate on which other principals. The location of the
ACL file is determined by the acl_file configuration variable in the
kdc.conf(4) file. The default location is /etc/krb5/kadm5.acl.
For incremental propagation, see kadmind(1M). The ACL file must contain
the kiprop service principal with propagation privileges in order for
the slave KDC to pull updates from the master's principal database.
Refer to the EXAMPLES section for this case.
The ACL file can contain comment lines, null lines, or lines that con‐
tain ACL entries. Comment lines start with the pound sign (#) and con‐
tinue until the end of the line.
The order of entries is significant. The first matching entry specifies
the principal on which the control access applies, whether it is on
just the principal or on the principal when it operates on a target
principal.
Lines containing ACL entries must have the following format:
principal operation-mask [operation-target]
principal Specifies the principal on which the operation-mask
applies. Can specify either a partially or fully
qualified Kerberos principal name. Each component
of the name can be substituted with a wildcard,
using the asterisk ( * ) character.
operation-mask Specifies what operations can or cannot be per‐
formed by a principal matching a particular entry.
Specify operation-mask as one or more privileges.
A privilege is a string of one or more of the fol‐
lowing characters: a, A, c, C, d, D, i, I, l, L, m,
M, p, P, u, U, x, or *. Generally, if the character
is lowercase, the privilege is allowed and if the
character is uppercase, the operation is disal‐
lowed. The x and * characters are exceptions to the
uppercase convention.
The following privileges are supported:
a Allows the addition of principals or policies
in the database.
A Disallows the addition of principals or poli‐
cies in the database.
c Allows the changing of passwords for princi‐
pals in the database.
C Disallows the changing of passwords for prin‐
cipals in the database.
d Allows the deletion of principals or policies
in the database.
D Disallows the deletion of principals or poli‐
cies in the database.
i Allows inquiries to the database.
I Disallows inquiries to the database.
l Allows the listing of principals or policies
in the database.
L Disallows the listing of principals or poli‐
cies in the database.
m Allows the modification of principals or poli‐
cies in the database.
M Disallows the modification of principals or
policies in the database.
p Allow the propagation of the principal data‐
base.
P Disallow the propagation of the principal
database.
u Allows the creation of one-component user
principals whose password can be validated
with PAM.
U Negates the u privilege.
x Short for specifying privileges a, d,m,c,i,
and l. The same as *.
* Short for specifying privileges a, d,m,c,i,
and l. The same as x.
operation-target Optional. When specified, the privileges apply to
the principal when it operates on the operation-
target. For the operation-target, you can specify a
partially or fully qualified Kerberos principal
name. Each component of the name can be substituted
by a wildcard, using the asterisk ( * ) character.
EXAMPLES
Example 1 Specifying a Standard, Fully Qualified Name
The following ACL entry specifies a standard, fully qualified name:
user/instance@realm adm
The operation-mask applies only to the user/instance@realm principal
and specifies that the principal can add, delete, or modify principals
and policies, but it cannot change passwords.
Example 2 Specifying a Standard Fully Qualified Name and Target
The following ACL entry specifies a standard, fully qualified name:
user/instance@realm cim service/instance@realm
The operation-mask applies only to the user/instance@realm principal
operating on the service/instance@realm target, and specifies that the
principal can change the target's password, request information about
the target, and modify it.
Example 3 Specifying a Name Using a Wildcard
The following ACL entry specifies a name using a wildcard:
user/*@realm ac
The operation-mask applies to all principals in realm realm whose first
component is user and specifies that the principals can add principals
and change passwords.
Example 4 Specifying a Name Using a Wildcard and a Target
The following ACL entry specifies a name using a wildcard and a target:
user/*@realm i */instance@realm
The operation-mask applies to all principals in realm realm whose first
component is user and specifies that the principals can perform
inquiries on principals whose second component is instance and realm is
realm.
Example 5 Specifying Incremental Propagation Privileges
The following ACL entry specifies propagation privileges for the kiprop
service principal:
kiprop/slavehost@realm p
The operation-mask applies to the kiprop service principal for the
specified slave host slavehost in realm realm. This specifies that the
associated kiprop service principal can receive incremental principal
updates.
FILES
/etc/krb5/kdc.conf KDC configuration information.
ATTRIBUTES
See attributes(5) for descriptions of the following attributes:
┌─────────────────────────────┬─────────────────────────────┐
│ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
├─────────────────────────────┼─────────────────────────────┤
│Availability │system/security/kerberos-5 │
├─────────────────────────────┼─────────────────────────────┤
│Interface Stability │Committed │
└─────────────────────────────┴─────────────────────────────┘
SEE ALSOkpasswd(1), gkadmin(1M), kadmind(1M), kadmin.local(1M), kdb5_util(1M),
kdc.conf(4), attributes(5), kerberos(5), pam_krb5_migrate(5)SunOS 5.11 26 Apr 2004 kadm5.acl(4)