I’m with Love’s comment. Sounds like we did something different for some reason?
Sounds like the current behavior is confusing, and therefore wrong, but I’ll have to make sure I understand it. I don’t think being able to get passwords is a different privilege from getting keys. Getting keytabs is the same as getting keys, and it’s neither a rare nor unusual operation. There is no security value to just making administration more arcane. If you’re worried about making a key extraction visible, then fix the logging, don’t make the admin interface confusing. That invites bugs and therefore INsecurity! Virtually all current security problems are due to bugs. > On Jun 26, 2017, at 3:28 AM, Andreas Haupt <andreas.ha...@desy.de> wrote: > > Sorry for replying to myself but I guess, I found the answer: > > https://github.com/heimdal/heimdal/issues/96 contains the discussion. > > When the kadmind.acl looks like this, the kadmin 'privileges' command won't > contain the 'get-keys' right, but ext_keytab will work anyway: > > [kdc1] /root # cat /var/heimdal/kadmind.acl > <myaccount>/admin@<MYREALM> cpw,list,delete,modify,add,get,get-keys > > > So, this behaviour change is everything but nice, nevertheless it still > works ... > > Cheers, > Andreas > > On Mon, 2017-06-26 at 11:18 +0200, Andreas Haupt wrote: >> Dear all, >> >> Heimdal 7.3 seems to suffer from a bug in privilege checking. A prinicipal >> having all rights on the database is unable to extract keytabs: >> >> [kdc1] /root # cat /var/heimdal/kadmind.acl >> <myaccount>/admin@<MYREALM> all >> >> [chip-vm8] /root # kadmin -p <myaccount>/admin -a kdc1 >> kadmin> ext -k /root/keytab <principal> >> <myaccount>/admin@<MYREALM>'s Password: >> kadmin: ext <principal>: Operation requires `get-keys' privilege >> >> Kadmind logs the error: >> >> Jun 26 11:11:08 kdc1 kadmind[10116]: connection from IPv4:<ip> >> Jun 26 11:11:10 kdc1 kadmind[10564]: <myaccount>/admin@<MYREALM>: GET >> principal@<MYREALM> >> Jun 26 11:11:10 kdc1 kadmind[10564]: GET: Operation requires `get-keys' >> privilege >> >> That does not change even when explicitly listing all rights: >> >> [kdc1] /root # cat /var/heimdal/kadmind.acl >> <myaccount>/admin@<MYREALM> cpw list delete modify add get get-keys >> >> It works using 'kadmin -l ext -k /root/keytab <principal>', though. Other >> commands like get, cpw, etc. work correctly. >> >> Is this a known issue? Any idea for a workaround? >> >> Thanks, >> Andreas > -- > | Andreas Haupt | E-Mail: andreas.ha...@desy.de > | DESY Zeuthen | WWW: http://www-zeuthen.desy.de/~ahaupt > | Platanenallee 6 | Phone: +49/33762/7-7359 > | D-15738 Zeuthen | Fax: +49/33762/7-7216 > > Personal email. hbh...@oxy.edu