KADM5.ACL(5) MIT Kerberos KADM5.ACL(5)NAME
kadm5.acl - Kerberos ACL file
DESCRIPTION
The Kerberos kadmind(8) daemon uses an Access Control List (ACL) file
to manage access rights to the Kerberos database. For operations that
affect principals, the ACL file also controls which principals can
operate on which other principals.
The default location of the Kerberos ACL file is
/var/lib/krb5kdc/kadm5.acl unless this is overridden by the acl_file
variable in kdc.conf(5).
SYNTAX
Empty lines and lines starting with the sharp sign (#) are ignored.
Lines containing ACL entries have the format:
principal permissions [target_principal [restrictions] ]
Note Line order in the ACL file is important. The first matching
entry will control access for an actor principal on a target
principal.
principal
(Partially or fully qualified Kerberos principal name.) Speci‐
fies the principal whose permissions are to be set.
Each component of the name may be wildcarded using the * charac‐
ter.
permissions
Specifies what operations may or may not be performed by a prin‐
cipal matching a particular entry. This is a string of one or
more of the following list of characters or their upper-case
counterparts. If the character is upper-case, then the opera‐
tion is disallowed. If the character is lower-case, then the
operation is permitted.
┌──┬────────────────────────────┐
│a │ [Dis]allows the addition │
│ │ of principals or policies │
├──┼────────────────────────────┤
│c │ [Dis]allows the changing │
│ │ of passwords for princi‐ │
│ │ pals │
├──┼────────────────────────────┤
│d │ [Dis]allows the deletion │
│ │ of principals or policies │
├──┼────────────────────────────┤
│i │ [Dis]allows inquiries │
│ │ about principals or poli‐ │
│ │ cies │
├──┼────────────────────────────┤
│l │ [Dis]allows the listing of │
│ │ principals or policies │
├──┼────────────────────────────┤
│m │ [Dis]allows the modifica‐ │
│ │ tion of principals or │
│ │ policies │
└──┴────────────────────────────┘
│p │ [Dis]allows the propaga‐ │
│ │ tion of the principal │
│ │ database (used in │
│ │ incr_db_prop) │
├──┼────────────────────────────┤
│s │ [Dis]allows the explicit │
│ │ setting of the key for a │
│ │ principal │
├──┼────────────────────────────┤
│x │ Short for admcil. All │
│ │ privileges │
├──┼────────────────────────────┤
│* │ Same as x. │
└──┴────────────────────────────┘
target_principal
(Optional. Partially or fully qualified Kerberos principal
name.) Specifies the principal on which permissions may be
applied. Each component of the name may be wildcarded using the
* character.
target_principal can also include back-references to principal,
in which *number matches the corresponding wildcard in princi‐
pal.
restrictions
(Optional) A string of flags. Allowed restrictions are:
{+|-}flagname
flag is forced to the indicated value. The permissi‐
ble flags are the same as the + and - flags for the
kadmin add_principal and modify_principal commands.
-clearpolicy
policy is forced to be empty.
-policy pol
policy is forced to be pol.
-{expire, pwexpire, maxlife, maxrenewlife} time
(getdate string) associated value will be forced to
MIN(time, requested value).
The above flags act as restrictions on any add or modify opera‐
tion which is allowed due to that ACL line.
Warning
If the kadmind ACL file is modified, the kadmind daemon needs to
be restarted for changes to take effect.
EXAMPLE
Here is an example of a kadm5.acl file.
*/admin@ATHENA.MIT.EDU * # line 1
joeadmin@ATHENA.MIT.EDU ADMCIL # line 2
joeadmin/*@ATHENA.MIT.EDU il */root@ATHENA.MIT.EDU # line 3
*/root@ATHENA.MIT.EDU cil *1@ATHENA.MIT.EDU # line 4
*/*@ATHENA.MIT.EDU i # line 5
*/admin@EXAMPLE.COM x * -maxlife 9h -postdateable # line 6
(line 1) Any principal in the ATHENA.MIT.EDU realm with an admin
instance has all administrative privileges.
(lines 1-3) The user joeadmin has all permissions with his admin
instance, joeadmin/admin@ATHENA.MIT.EDU (matches line 1). He has no
permissions at all with his null instance, joeadmin@ATHENA.MIT.EDU
(matches line 2). His root and other non-admin, non-null instances
(e.g., extra or dbadmin) have inquire and list permissions with any
principal that has the instance root (matches line 3).
(line 4) Any root principal in ATHENA.MIT.EDU can inquire, list, or
change the password of their null instance, but not any other null
instance. (Here, *1 denotes a back-reference to the component matching
the first wildcard in the actor principal.)
(line 5) Any principal in the realm ATHENA.MIT.EDU (except for joead‐
min@ATHENA.MIT.EDU, as mentioned above) has inquire privileges.
(line 6) Finally, any principal with an admin instance in EXAMPLE.COM
has all permissions, but any principal that they create or modify will
not be able to get postdateable tickets or tickets with a life of
longer than 9 hours.
SEE ALSOkdc.conf(5), kadmind(8)AUTHOR
MIT
COPYRIGHT
1985-2013, MIT
1.12.1KADM5.ACL(5)