[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Extract Keytab permissions

I'm having difficulty disentangling the permissions structure for  
kadmin[d].  Mostly it's pretty straightforward.  One permission from  
kadmind.acl maps to one admin command.

What I don't understand is ext_keytab.  I don't see how that command is  
protected, or what permission it uses.

What I'd like to do is specify an "admin" account that's allowed to get  
expiration dates and maybe enctypes for everybody, but can't extract a  
keytab for (and impersonate) anybody.  In other terms:  the metadata is  
OK, but the keys aren't.
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu