'\" te .\" Copyright (c) 2006 Sun Microsystems, Inc. All Rights Reserved .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License. .\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. See the License for the specific language governing permissions and limitations under the License. .\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner] .TH KADM5.ACL 4 "Oct 29, 2015" .SH NAME kadm5.acl \- Kerberos access control list (ACL) file .SH SYNOPSIS .LP .nf \fB/etc/krb5/kadm5.acl\fR .fi .SH DESCRIPTION .sp .LP The \fBACL\fR file is used by the \fBkadmind\fR(1M) command to determine which principals are allowed to perform Kerberos administration actions. For operations that affect principals, the \fBACL\fR file also controls which principals can operate on which other principals. The location of the \fBACL\fR file is determined by the \fBacl_file\fR configuration variable in the \fBkdc.conf\fR(4) file. The default location is \fB/etc/krb5/kadm5.acl\fR. .sp .LP For incremental propagation, see \fBkadmind\fR(1M). The ACL file must contain the \fBkiprop\fR service principal with propagation privileges in order for the slave KDC to pull updates from the master's principal database. Refer to the EXAMPLES section for this case. .sp .LP The \fBACL\fR file can contain comment lines, null lines, or lines that contain \fBACL\fR entries. Comment lines start with the pound sign (\fB#\fR) and continue until the end of the line. .sp .LP The order of entries is significant. The first matching entry specifies the principal on which the control access applies, whether it is on just the principal or on the principal when it operates on a target principal. .sp .LP Lines containing \fBACL\fR entries must have the following format: .sp .in +2 .nf \fIprincipal\fR \fIoperation-mask\fR [\fIoperation-target\fR] .fi .in -2 .sp .sp .ne 2 .na \fB\fIprincipal\fR\fR .ad .RS 20n Specifies the principal on which the \fIoperation-mask\fR applies. Can specify either a partially or fully qualified Kerberos principal name. Each component of the name can be substituted with a wildcard, using the asterisk ( \fB*\fR ) character. .RE .sp .ne 2 .na \fB\fIoperation-mask\fR\fR .ad .RS 20n Specifies what operations can or cannot be performed by a principal matching a particular entry. Specify \fIoperation-mask\fR as one or more \fIprivilege\fRs. .sp A \fIprivilege\fR is a string of one or more of the following characters: \fBa\fR, \fBA\fR, \fBc\fR, \fBC\fR, \fBd\fR, \fBD\fR, \fBi\fR, \fBI\fR, \fBl\fR, \fBL\fR, \fBm\fR, \fBM\fR, \fBp\fR, \fBP\fR, \fBu\fR, \fBU\fR, \fBx\fR, or \fB*\fR. Generally, if the character is lowercase, the privilege is allowed and if the character is uppercase, the operation is disallowed. The \fBx\fR and \fB*\fR characters are exceptions to the uppercase convention. .sp The following \fIprivilege\fRs are supported: .sp .ne 2 .na \fB\fBa\fR\fR .ad .RS 5n Allows the addition of principals or policies in the database. .RE .sp .ne 2 .na \fB\fBA\fR\fR .ad .RS 5n Disallows the addition of principals or policies in the database. .RE .sp .ne 2 .na \fB\fBc\fR\fR .ad .RS 5n Allows the changing of passwords for principals in the database. .RE .sp .ne 2 .na \fB\fBC\fR\fR .ad .RS 5n Disallows the changing of passwords for principals in the database. .RE .sp .ne 2 .na \fB\fBd\fR\fR .ad .RS 5n Allows the deletion of principals or policies in the database. .RE .sp .ne 2 .na \fB\fBD\fR\fR .ad .RS 5n Disallows the deletion of principals or policies in the database. .RE .sp .ne 2 .na \fB\fBi\fR\fR .ad .RS 5n Allows inquiries to the database. .RE .sp .ne 2 .na \fB\fBI\fR\fR .ad .RS 5n Disallows inquiries to the database. .RE .sp .ne 2 .na \fB\fBl\fR\fR .ad .RS 5n Allows the listing of principals or policies in the database. .RE .sp .ne 2 .na \fB\fBL\fR\fR .ad .RS 5n Disallows the listing of principals or policies in the database. .RE .sp .ne 2 .na \fB\fBm\fR\fR .ad .RS 5n Allows the modification of principals or policies in the database. .RE .sp .ne 2 .na \fB\fBM\fR\fR .ad .RS 5n Disallows the modification of principals or policies in the database. .RE .sp .ne 2 .na \fB\fBp\fR\fR .ad .RS 5n Allow the propagation of the principal database. .RE .sp .ne 2 .na \fB\fBP\fR\fR .ad .RS 5n Disallow the propagation of the principal database. .RE .sp .ne 2 .na \fB\fBu\fR\fR .ad .RS 5n Allows the creation of one-component user principals whose password can be validated with PAM. .RE .sp .ne 2 .na \fB\fBU\fR\fR .ad .RS 5n Negates the \fBu\fR privilege. .RE .sp .ne 2 .na \fB\fBx\fR\fR .ad .RS 5n Short for specifying privileges \fBa\fR, \fBd\fR,\fBm\fR,\fBc\fR,\fBi\fR, and \fBl\fR. The same as \fB*\fR. .RE .sp .ne 2 .na \fB\fB*\fR\fR .ad .RS 5n Short for specifying privileges \fBa\fR, \fBd\fR,\fBm\fR,\fBc\fR,\fBi\fR, and \fBl\fR. The same as \fBx\fR. .RE .RE .sp .ne 2 .na \fB\fIoperation-target\fR\fR .ad .RS 20n Optional. When specified, the \fIprivileges\fR apply to the \fIprincipal\fR when it operates on the \fIoperation-target\fR. For the \fIoperation-target\fR, you can specify a partially or fully qualified Kerberos principal name. Each component of the name can be substituted by a wildcard, using the asterisk ( \fB*\fR ) character. .RE .SH EXAMPLES .LP \fBExample 1 \fRSpecifying a Standard, Fully Qualified Name .sp .LP The following ACL entry specifies a standard, fully qualified name: .sp .in +2 .nf user/instance@realm adm .fi .in -2 .sp .sp .LP The \fIoperation-mask\fR applies only to the \fBuser/instance@realm\fR principal and specifies that the principal can add, delete, or modify principals and policies, but it cannot change passwords. .LP \fBExample 2 \fRSpecifying a Standard Fully Qualified Name and Target .sp .LP The following ACL entry specifies a standard, fully qualified name: .sp .in +2 .nf user/instance@realm cim service/instance@realm .fi .in -2 .sp .sp .LP The \fIoperation-mask\fR applies only to the \fBuser/instance@realm\fR principal operating on the \fBservice/instance@realm\fR target, and specifies that the principal can change the target's password, request information about the target, and modify it. .LP \fBExample 3 \fRSpecifying a Name Using a Wildcard .sp .LP The following ACL entry specifies a name using a wildcard: .sp .in +2 .nf user/*@realm ac .fi .in -2 .sp .sp .LP The \fIoperation-mask\fR applies to all principals in realm \fBrealm\fR whose first component is \fBuser\fR and specifies that the principals can add principals and change passwords. .LP \fBExample 4 \fRSpecifying a Name Using a Wildcard and a Target .sp .LP The following ACL entry specifies a name using a wildcard and a target: .sp .in +2 .nf user/*@realm i */instance@realm .fi .in -2 .sp .sp .LP The \fIoperation-mask\fR applies to all principals in realm \fBrealm\fR whose first component is \fBuser\fR and specifies that the principals can perform inquiries on principals whose second component is \fBinstance\fR and realm is \fBrealm\fR. .LP \fBExample 5 \fRSpecifying Incremental Propagation Privileges .sp .LP The following ACL entry specifies propagation privileges for the \fBkiprop\fR service principal: .sp .in +2 .nf kiprop/slavehost@realm p .fi .in -2 .sp .LP The operation-mask applies to the \fBkiprop\fR service principal for the specified slave host \fBslavehost\fR in realm \fBrealm\fR. This specifies that the associated \fBkiprop\fR service principal can receive incremental principal updates. .SH FILES .sp .ne 2 .na \fB\fB/etc/krb5/kdc.conf\fR\fR .ad .RS 22n KDC configuration information. .RE .SH ATTRIBUTES .sp .LP See \fBattributes\fR(5) for descriptions of the following attributes: .sp .sp .TS box; c | c l | l . ATTRIBUTE TYPE ATTRIBUTE VALUE _ Interface Stability Evolving .TE .SH SEE ALSO .sp .LP \fBkpasswd\fR(1), \fBkadmind\fR(1M), \fBkadmin.local\fR(1M), \fBkdb5_util\fR(1M), \fBkdc.conf\fR(4), \fBattributes\fR(5), \fBkerberos\fR(5), \fBpam_krb5_migrate\fR(5)