kadm5.acl man page on Archlinux

Man page or keyword search:  
man Server   11224 pages
apropos Keyword Search (all sections)
Output format
Archlinux logo
[printable version]

KADM5.ACL(5)			 MIT Kerberos			  KADM5.ACL(5)

       kadm5.acl - Kerberos ACL file

       The  Kerberos  kadmind(8) daemon uses an Access Control List (ACL) file
       to manage access rights to the Kerberos database.  For operations  that
       affect  principals,  the	 ACL  file  also controls which principals can
       operate on which other principals.

       The   default	location    of	  the	 Kerberos    ACL    file    is
       /var/lib/krb5kdc/kadm5.acl   unless  this is overridden by the acl_file
       variable in kdc.conf(5).

       Empty lines and lines starting with the sharp  sign  (#)	 are  ignored.
       Lines containing ACL entries have the format:

	  principal  permissions  [target_principal  [restrictions] ]

       Note   Line  order  in  the  ACL file is important.  The first matching
	      entry will control access for an actor  principal	 on  a	target

	      (Partially  or  fully qualified Kerberos principal name.) Speci‐
	      fies the principal whose permissions are to be set.

	      Each component of the name may be wildcarded using the * charac‐

	      Specifies what operations may or may not be performed by a prin‐
	      cipal matching a particular entry.  This is a string of  one  or
	      more  of	the  following	list of characters or their upper-case
	      counterparts.  If the character is upper-case, then  the	opera‐
	      tion  is	disallowed.   If the character is lower-case, then the
	      operation is permitted.

			      │a │ [Dis]allows	the  addition │
			      │	 │ of principals or policies  │
			      │c │ [Dis]allows	the  changing │
			      │	 │ of passwords	 for  princi‐ │
			      │	 │ pals			      │
			      │d │ [Dis]allows	the  deletion │
			      │	 │ of principals or policies  │
			      │i │ [Dis]allows	    inquiries │
			      │	 │ about  principals or poli‐ │
			      │	 │ cies			      │
			      │l │ [Dis]allows the listing of │
			      │	 │ principals or policies     │
			      │m │ [Dis]allows	the modifica‐ │
			      │	 │ tion	 of   principals   or │
			      │	 │ policies		      │

			      │p │ [Dis]allows	the  propaga‐ │
			      │	 │ tion	 of   the   principal │
			      │	 │ database	 (used	   in │
			      │	 │ incr_db_prop)	      │
			      │s │ [Dis]allows	the  explicit │
			      │	 │ setting  of	the key for a │
			      │	 │ principal		      │
			      │x │ Short  for	admcil.	  All │
			      │	 │ privileges		      │
			      │* │ Same as x.		      │

	      (Optional.  Partially  or	 fully	qualified  Kerberos  principal
	      name.)  Specifies the principal  on  which  permissions  may  be
	      applied.	Each component of the name may be wildcarded using the
	      * character.

	      target_principal can also include back-references to  principal,
	      in  which	 *number matches the corresponding wildcard in princi‐

	      (Optional) A string of flags. Allowed restrictions are:

			flag is forced to the indicated value.	The  permissi‐
			ble  flags  are	 the same as the + and - flags for the
			kadmin add_principal and modify_principal commands.

			policy is forced to be empty.

		 -policy pol
			policy is forced to be pol.

		 -{expire, pwexpire, maxlife, maxrenewlife} time
			(getdate string) associated value will	be  forced  to
			MIN(time, requested value).

	      The  above flags act as restrictions on any add or modify opera‐
	      tion which is allowed due to that ACL line.

	      If the kadmind ACL file is modified, the kadmind daemon needs to
	      be restarted for changes to take effect.

       Here is an example of a kadm5.acl file.

	  */admin@ATHENA.MIT.EDU	*			    # line 1
	  joeadmin@ATHENA.MIT.EDU   ADMCIL			    # line 2
	  joeadmin/*@ATHENA.MIT.EDU il	*/root@ATHENA.MIT.EDU	    # line 3
	  */root@ATHENA.MIT.EDU	    cil *1@ATHENA.MIT.EDU	    # line 4
	  */*@ATHENA.MIT.EDU	    i				    # line 5
	  */admin@EXAMPLE.COM	    x	* -maxlife 9h -postdateable # line 6

       (line  1)  Any  principal  in  the  ATHENA.MIT.EDU  realm with an admin
       instance has all administrative privileges.

       (lines 1-3) The user  joeadmin  has  all	 permissions  with  his	 admin
       instance,  joeadmin/admin@ATHENA.MIT.EDU	 (matches  line 1).  He has no
       permissions at all  with	 his  null  instance,  joeadmin@ATHENA.MIT.EDU
       (matches	 line  2).   His  root and other non-admin, non-null instances
       (e.g., extra or dbadmin) have inquire and  list	permissions  with  any
       principal that has the instance root (matches line 3).

       (line  4)  Any  root  principal in ATHENA.MIT.EDU can inquire, list, or
       change the password of their null instance,  but	 not  any  other  null
       instance.  (Here, *1 denotes a back-reference to the component matching
       the first wildcard in the actor principal.)

       (line 5) Any principal in the realm ATHENA.MIT.EDU (except  for	joead‐
       min@ATHENA.MIT.EDU, as mentioned above) has inquire privileges.

       (line  6)  Finally, any principal with an admin instance in EXAMPLE.COM
       has all permissions, but any principal that they create or modify  will
       not  be	able  to  get  postdateable  tickets or tickets with a life of
       longer than 9 hours.

       kdc.conf(5), kadmind(8)


       1985-2013, MIT

1.12.1								  KADM5.ACL(5)

List of man pages available for Archlinux

Copyright (c) for man pages and the logo by the respective OS vendor.

For those who want to learn more, the polarhome community provides shell access and support.

[legal] [privacy] [GNU] [policy] [cookies] [netiquette] [sponsors] [FAQ]
Polarhome, production since 1999.
Member of Polarhome portal.
Based on Fawad Halim's script.
Vote for polarhome
Free Shell Accounts :: the biggest list on the net