Dear all, Heimdal 7.3 seems to suffer from a bug in privilege checking. A prinicipal having all rights on the database is unable to extract keytabs:
[kdc1] /root # cat /var/heimdal/kadmind.acl <myaccount>/admin@<MYREALM> all [chip-vm8] /root # kadmin -p <myaccount>/admin -a kdc1 kadmin> ext -k /root/keytab <principal> <myaccount>/admin@<MYREALM>'s Password: kadmin: ext <principal>: Operation requires `get-keys' privilege Kadmind logs the error: Jun 26 11:11:08 kdc1 kadmind[10116]: connection from IPv4:<ip> Jun 26 11:11:10 kdc1 kadmind[10564]: <myaccount>/admin@<MYREALM>: GET principal@<MYREALM> Jun 26 11:11:10 kdc1 kadmind[10564]: GET: Operation requires `get-keys' privilege That does not change even when explicitly listing all rights: [kdc1] /root # cat /var/heimdal/kadmind.acl <myaccount>/admin@<MYREALM> cpw list delete modify add get get-keys It works using 'kadmin -l ext -k /root/keytab <principal>', though. Other commands like get, cpw, etc. work correctly. Is this a known issue? Any idea for a workaround? Thanks, Andreas -- | Andreas Haupt | E-Mail: andreas.ha...@desy.de | DESY Zeuthen | WWW: http://www-zeuthen.desy.de/~ahaupt | Platanenallee 6 | Phone: +49/33762/7-7359 | D-15738 Zeuthen | Fax: +49/33762/7-7216
smime.p7s
Description: S/MIME cryptographic signature