On Mon, Jun 26, 2017 at 11:18:28AM +0200, Andreas Haupt wrote:
> Heimdal 7.3 seems to suffer from a bug in privilege checking. A prinicipal
> having all rights on the database is unable to extract keytabs:
This is on purpose.
We decided that it was never a good idea for "all" to have meant
"extract keys", because in general that's not desirable.
Instead you should either use ext_keytab -r, or add the get-keys
privilege to whoever needs it.
> That does not change even when explicitly listing all rights:
> [kdc1] /root # cat /var/heimdal/kadmind.acl
> <myaccount>/admin@<MYREALM> cpw list delete modify add get get-keys
That would be a bug. I'll see if I can reproduce it.