1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
|
'\" te
.\" Copyright (c) 2006 Sun Microsystems, Inc. All Rights Reserved
.\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License.
.\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. See the License for the specific language governing permissions and limitations under the License.
.\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
.TH KADM5.ACL 4 "Oct 29, 2015"
.SH NAME
kadm5.acl \- Kerberos access control list (ACL) file
.SH SYNOPSIS
.LP
.nf
\fB/etc/krb5/kadm5.acl\fR
.fi
.SH DESCRIPTION
.sp
.LP
The \fBACL\fR file is used by the \fBkadmind\fR(1M) command to determine which
principals are allowed to perform Kerberos administration actions. For
operations that affect principals, the \fBACL\fR file also controls which
principals can operate on which other principals. The location of the \fBACL\fR
file is determined by the \fBacl_file\fR configuration variable in the
\fBkdc.conf\fR(4) file. The default location is \fB/etc/krb5/kadm5.acl\fR.
.sp
.LP
For incremental propagation, see \fBkadmind\fR(1M). The ACL file must contain
the \fBkiprop\fR service principal with propagation privileges in order for the
slave KDC to pull updates from the master's principal database. Refer to the
EXAMPLES section for this case.
.sp
.LP
The \fBACL\fR file can contain comment lines, null lines, or lines that contain
\fBACL\fR entries. Comment lines start with the pound sign (\fB#\fR) and
continue until the end of the line.
.sp
.LP
The order of entries is significant. The first matching entry specifies the
principal on which the control access applies, whether it is on just the
principal or on the principal when it operates on a target principal.
.sp
.LP
Lines containing \fBACL\fR entries must have the following format:
.sp
.in +2
.nf
\fIprincipal\fR \fIoperation-mask\fR [\fIoperation-target\fR]
.fi
.in -2
.sp
.sp
.ne 2
.na
\fB\fIprincipal\fR\fR
.ad
.RS 20n
Specifies the principal on which the \fIoperation-mask\fR applies. Can specify
either a partially or fully qualified Kerberos principal name. Each component
of the name can be substituted with a wildcard, using the asterisk ( \fB*\fR )
character.
.RE
.sp
.ne 2
.na
\fB\fIoperation-mask\fR\fR
.ad
.RS 20n
Specifies what operations can or cannot be performed by a principal matching a
particular entry. Specify \fIoperation-mask\fR as one or more \fIprivilege\fRs.
.sp
A \fIprivilege\fR is a string of one or more of the following characters:
\fBa\fR, \fBA\fR, \fBc\fR, \fBC\fR, \fBd\fR, \fBD\fR, \fBi\fR, \fBI\fR,
\fBl\fR, \fBL\fR, \fBm\fR, \fBM\fR, \fBp\fR, \fBP\fR, \fBu\fR, \fBU\fR,
\fBx\fR, or \fB*\fR. Generally, if the character is lowercase, the privilege is
allowed and if the character is uppercase, the operation is disallowed. The
\fBx\fR and \fB*\fR characters are exceptions to the uppercase convention.
.sp
The following \fIprivilege\fRs are supported:
.sp
.ne 2
.na
\fB\fBa\fR\fR
.ad
.RS 5n
Allows the addition of principals or policies in the database.
.RE
.sp
.ne 2
.na
\fB\fBA\fR\fR
.ad
.RS 5n
Disallows the addition of principals or policies in the database.
.RE
.sp
.ne 2
.na
\fB\fBc\fR\fR
.ad
.RS 5n
Allows the changing of passwords for principals in the database.
.RE
.sp
.ne 2
.na
\fB\fBC\fR\fR
.ad
.RS 5n
Disallows the changing of passwords for principals in the database.
.RE
.sp
.ne 2
.na
\fB\fBd\fR\fR
.ad
.RS 5n
Allows the deletion of principals or policies in the database.
.RE
.sp
.ne 2
.na
\fB\fBD\fR\fR
.ad
.RS 5n
Disallows the deletion of principals or policies in the database.
.RE
.sp
.ne 2
.na
\fB\fBi\fR\fR
.ad
.RS 5n
Allows inquiries to the database.
.RE
.sp
.ne 2
.na
\fB\fBI\fR\fR
.ad
.RS 5n
Disallows inquiries to the database.
.RE
.sp
.ne 2
.na
\fB\fBl\fR\fR
.ad
.RS 5n
Allows the listing of principals or policies in the database.
.RE
.sp
.ne 2
.na
\fB\fBL\fR\fR
.ad
.RS 5n
Disallows the listing of principals or policies in the database.
.RE
.sp
.ne 2
.na
\fB\fBm\fR\fR
.ad
.RS 5n
Allows the modification of principals or policies in the database.
.RE
.sp
.ne 2
.na
\fB\fBM\fR\fR
.ad
.RS 5n
Disallows the modification of principals or policies in the database.
.RE
.sp
.ne 2
.na
\fB\fBp\fR\fR
.ad
.RS 5n
Allow the propagation of the principal database.
.RE
.sp
.ne 2
.na
\fB\fBP\fR\fR
.ad
.RS 5n
Disallow the propagation of the principal database.
.RE
.sp
.ne 2
.na
\fB\fBu\fR\fR
.ad
.RS 5n
Allows the creation of one-component user principals whose password can be
validated with PAM.
.RE
.sp
.ne 2
.na
\fB\fBU\fR\fR
.ad
.RS 5n
Negates the \fBu\fR privilege.
.RE
.sp
.ne 2
.na
\fB\fBx\fR\fR
.ad
.RS 5n
Short for specifying privileges \fBa\fR, \fBd\fR,\fBm\fR,\fBc\fR,\fBi\fR, and
\fBl\fR. The same as \fB*\fR.
.RE
.sp
.ne 2
.na
\fB\fB*\fR\fR
.ad
.RS 5n
Short for specifying privileges \fBa\fR, \fBd\fR,\fBm\fR,\fBc\fR,\fBi\fR, and
\fBl\fR. The same as \fBx\fR.
.RE
.RE
.sp
.ne 2
.na
\fB\fIoperation-target\fR\fR
.ad
.RS 20n
Optional. When specified, the \fIprivileges\fR apply to the \fIprincipal\fR
when it operates on the \fIoperation-target\fR. For the \fIoperation-target\fR,
you can specify a partially or fully qualified Kerberos principal name. Each
component of the name can be substituted by a wildcard, using the asterisk (
\fB*\fR ) character.
.RE
.SH EXAMPLES
.LP
\fBExample 1 \fRSpecifying a Standard, Fully Qualified Name
.sp
.LP
The following ACL entry specifies a standard, fully qualified name:
.sp
.in +2
.nf
user/instance@realm adm
.fi
.in -2
.sp
.sp
.LP
The \fIoperation-mask\fR applies only to the \fBuser/instance@realm\fR
principal and specifies that the principal can add, delete, or modify
principals and policies, but it cannot change passwords.
.LP
\fBExample 2 \fRSpecifying a Standard Fully Qualified Name and Target
.sp
.LP
The following ACL entry specifies a standard, fully qualified name:
.sp
.in +2
.nf
user/instance@realm cim service/instance@realm
.fi
.in -2
.sp
.sp
.LP
The \fIoperation-mask\fR applies only to the \fBuser/instance@realm\fR
principal operating on the \fBservice/instance@realm\fR target, and specifies
that the principal can change the target's password, request information about
the target, and modify it.
.LP
\fBExample 3 \fRSpecifying a Name Using a Wildcard
.sp
.LP
The following ACL entry specifies a name using a wildcard:
.sp
.in +2
.nf
user/*@realm ac
.fi
.in -2
.sp
.sp
.LP
The \fIoperation-mask\fR applies to all principals in realm \fBrealm\fR whose
first component is \fBuser\fR and specifies that the principals can add
principals and change passwords.
.LP
\fBExample 4 \fRSpecifying a Name Using a Wildcard and a Target
.sp
.LP
The following ACL entry specifies a name using a wildcard and a target:
.sp
.in +2
.nf
user/*@realm i */instance@realm
.fi
.in -2
.sp
.sp
.LP
The \fIoperation-mask\fR applies to all principals in realm \fBrealm\fR whose
first component is \fBuser\fR and specifies that the principals can perform
inquiries on principals whose second component is \fBinstance\fR and realm is
\fBrealm\fR.
.LP
\fBExample 5 \fRSpecifying Incremental Propagation Privileges
.sp
.LP
The following ACL entry specifies propagation privileges for the \fBkiprop\fR
service principal:
.sp
.in +2
.nf
kiprop/slavehost@realm p
.fi
.in -2
.sp
.LP
The operation-mask applies to the \fBkiprop\fR service principal for the
specified slave host \fBslavehost\fR in realm \fBrealm\fR. This specifies that
the associated \fBkiprop\fR service principal can receive incremental principal
updates.
.SH FILES
.sp
.ne 2
.na
\fB\fB/etc/krb5/kdc.conf\fR\fR
.ad
.RS 22n
KDC configuration information.
.RE
.SH ATTRIBUTES
.sp
.LP
See \fBattributes\fR(5) for descriptions of the following attributes:
.sp
.sp
.TS
box;
c | c
l | l .
ATTRIBUTE TYPE ATTRIBUTE VALUE
_
Interface Stability Evolving
.TE
.SH SEE ALSO
.sp
.LP
\fBkpasswd\fR(1), \fBkadmind\fR(1M), \fBkadmin.local\fR(1M),
\fBkdb5_util\fR(1M), \fBkdc.conf\fR(4), \fBattributes\fR(5), \fBkerberos\fR(5),
\fBpam_krb5_migrate\fR(5)
|
