Sorry for replying to myself but I guess, I found the answer: https://github.com/heimdal/heimdal/issues/96 contains the discussion.
When the kadmind.acl looks like this, the kadmin 'privileges' command won't contain the 'get-keys' right, but ext_keytab will work anyway: [kdc1] /root # cat /var/heimdal/kadmind.acl <myaccount>/admin@<MYREALM> cpw,list,delete,modify,add,get,get-keys So, this behaviour change is everything but nice, nevertheless it still works ... Cheers, Andreas On Mon, 2017-06-26 at 11:18 +0200, Andreas Haupt wrote: > Dear all, > > Heimdal 7.3 seems to suffer from a bug in privilege checking. A prinicipal > having all rights on the database is unable to extract keytabs: > > [kdc1] /root # cat /var/heimdal/kadmind.acl > <myaccount>/admin@<MYREALM> all > > [chip-vm8] /root # kadmin -p <myaccount>/admin -a kdc1 > kadmin> ext -k /root/keytab <principal> > <myaccount>/admin@<MYREALM>'s Password: > kadmin: ext <principal>: Operation requires `get-keys' privilege > > Kadmind logs the error: > > Jun 26 11:11:08 kdc1 kadmind: connection from IPv4:<ip> > Jun 26 11:11:10 kdc1 kadmind: <myaccount>/admin@<MYREALM>: GET > principal@<MYREALM> > Jun 26 11:11:10 kdc1 kadmind: GET: Operation requires `get-keys' > privilege > > That does not change even when explicitly listing all rights: > > [kdc1] /root # cat /var/heimdal/kadmind.acl > <myaccount>/admin@<MYREALM> cpw list delete modify add get get-keys > > It works using 'kadmin -l ext -k /root/keytab <principal>', though. Other > commands like get, cpw, etc. work correctly. > > Is this a known issue? Any idea for a workaround? > > Thanks, > Andreas -- | Andreas Haupt | E-Mail: andreas.ha...@desy.de | DESY Zeuthen | WWW: http://www-zeuthen.desy.de/~ahaupt | Platanenallee 6 | Phone: +49/33762/7-7359 | D-15738 Zeuthen | Fax: +49/33762/7-7216
Description: S/MIME cryptographic signature