Sorry for replying to myself but I guess, I found the answer:

https://github.com/heimdal/heimdal/issues/96 contains the discussion.

When the kadmind.acl looks like this, the kadmin 'privileges' command won't
contain the 'get-keys' right, but ext_keytab will work anyway:

[kdc1] /root # cat /var/heimdal/kadmind.acl
<myaccount>/admin@<MYREALM> cpw,list,delete,modify,add,get,get-keys


So, this behaviour change is everything but nice, nevertheless it still
works ...

Cheers,
Andreas

On Mon, 2017-06-26 at 11:18 +0200, Andreas Haupt wrote:
> Dear all,
> 
> Heimdal 7.3 seems to suffer from a bug in privilege checking. A prinicipal
> having all rights on the database is unable to extract keytabs:
> 
> [kdc1] /root # cat /var/heimdal/kadmind.acl 
> <myaccount>/admin@<MYREALM> all
> 
> [chip-vm8] /root # kadmin -p <myaccount>/admin -a kdc1
> kadmin> ext -k /root/keytab <principal>
> <myaccount>/admin@<MYREALM>'s Password: 
> kadmin: ext <principal>: Operation requires `get-keys' privilege
> 
> Kadmind logs the error:
> 
> Jun 26 11:11:08 kdc1 kadmind[10116]: connection from IPv4:<ip>
> Jun 26 11:11:10 kdc1 kadmind[10564]: <myaccount>/admin@<MYREALM>: GET
> principal@<MYREALM>
> Jun 26 11:11:10 kdc1 kadmind[10564]: GET: Operation requires `get-keys'
> privilege
> 
> That does not change even when explicitly listing all rights:
> 
> [kdc1] /root # cat /var/heimdal/kadmind.acl 
> <myaccount>/admin@<MYREALM> cpw list delete modify add get get-keys
> 
> It works using 'kadmin -l ext -k /root/keytab <principal>', though. Other
> commands like get, cpw, etc. work correctly.
> 
> Is this a known issue? Any idea for a workaround?
> 
> Thanks,
> Andreas
-- 
| Andreas Haupt            | E-Mail: andreas.ha...@desy.de
|  DESY Zeuthen            | WWW:    http://www-zeuthen.desy.de/~ahaupt
|  Platanenallee 6         | Phone:  +49/33762/7-7359
|  D-15738 Zeuthen         | Fax:    +49/33762/7-7216


Attachment: smime.p7s
Description: S/MIME cryptographic signature

Reply via email to