[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: kadmin ACL question

To: "Henry B. Hotz" <hotz@jpl.nasa.gov>
Subject: Re: kadmin ACL question
From: Love <lha@stacken.kth.se>
Date: Fri, 03 Oct 2003 04:22:13 +0200
Cc: heimdal-discuss@sics.se
In-Reply-To: <p05210601bba276aed3a0@[137.78.212.245]> (Henry B. Hotz'smessage of "Thu, 2 Oct 2003 17:48:35 -0700")
References: <Pine.OSF.4.58.0309301648040.198353@lib-eth.natur.cuni.cz><Pine.OSF.4.51.0309301754480.115349@tao.natur.cuni.cz><amad8mceaa.fsf@nutcracker.stacken.kth.se><Pine.OSF.4.58.0310010701560.197780@lib-eth.natur.cuni.cz><Pine.OSF.4.51.0310010849500.271815@tao.natur.cuni.cz><p0521060fbba17072f45d@[137.78.212.225]><p05210601bba276aed3a0@[137.78.212.245]>
Sender: owner-heimdal-discuss@sics.se
User-Agent: Gnus/5.1002 (Gnus v5.10.2) Emacs/21.3 (berkeley-unix)

"Henry B. Hotz" <hotz@jpl.nasa.gov> writes:

> In AFS a user can do a a kas examine to look at his own principal. In
> particular he can see what his password expiration time is.
>
> It would appear that the equivalent Kerberos 5 command is kadmin
> get. Is there an ACL entry that would match all principals with null
> instances (ordinary users) and allow them to do a get operation, but
> only on themselves, not anyone else?

The only implicit right a user have is the ability to change its own
password (but with the password quality check). All other rights must be
given to the user.

Many people seems to have diffrent ideas what policies should look like, I
don't know how to please everyone execpt by calling out to external
program/shared object in _kadm5_acl_check_permission() and have that do the
authorization.

> Is the answer to the above perchance different for MIT?

It doesn't look that way, but I might very well be wrong, I just tried to
decipher their rpc stubs.

Love

PGP signature

References:
- Re: need more explanation on krb4->krb5 conversion
  - From: David Komanek <xdavid@lib-eth.natur.cuni.cz>
- Re: need more explanation on krb4->krb5 conversion
  - From: Martin MOKREJŠ <mmokrejs@natur.cuni.cz>
- Re: need more explanation on krb4->krb5 conversion
  - From: "Henry B. Hotz" <hotz@jpl.nasa.gov>
- kadmin ACL question
  - From: "Henry B. Hotz" <hotz@jpl.nasa.gov>

Prev by Date: kadmin ACL question
Next by Date: kxd: getnameinfo failed
Prev by thread: kadmin ACL question
Next by thread: Re: need more explanation on krb4->krb5 conversion
Index(es):
- Date
- Thread