Dear all,

Heimdal 7.3 seems to suffer from a bug in privilege checking. A prinicipal
having all rights on the database is unable to extract keytabs:

[kdc1] /root # cat /var/heimdal/kadmind.acl 
<myaccount>/admin@<MYREALM> all

[chip-vm8] /root # kadmin -p <myaccount>/admin -a kdc1
kadmin> ext -k /root/keytab <principal>
<myaccount>/admin@<MYREALM>'s Password: 
kadmin: ext <principal>: Operation requires `get-keys' privilege

Kadmind logs the error:

Jun 26 11:11:08 kdc1 kadmind[10116]: connection from IPv4:<ip>
Jun 26 11:11:10 kdc1 kadmind[10564]: <myaccount>/admin@<MYREALM>: GET 
Jun 26 11:11:10 kdc1 kadmind[10564]: GET: Operation requires `get-keys' 

That does not change even when explicitly listing all rights:

[kdc1] /root # cat /var/heimdal/kadmind.acl 
<myaccount>/admin@<MYREALM> cpw list delete modify add get get-keys

It works using 'kadmin -l ext -k /root/keytab <principal>', though. Other
commands like get, cpw, etc. work correctly.

Is this a known issue? Any idea for a workaround?

| Andreas Haupt            | E-Mail:
|  DESY Zeuthen            | WWW:
|  Platanenallee 6         | Phone:  +49/33762/7-7359
|  D-15738 Zeuthen         | Fax:    +49/33762/7-7216

Attachment: smime.p7s
Description: S/MIME cryptographic signature

Reply via email to