On Mon, Jun 26, 2017 at 11:18:28AM +0200, Andreas Haupt wrote: > Heimdal 7.3 seems to suffer from a bug in privilege checking. A prinicipal > having all rights on the database is unable to extract keytabs:
This is on purpose. We decided that it was never a good idea for "all" to have meant "extract keys", because in general that's not desirable. Instead you should either use ext_keytab -r, or add the get-keys privilege to whoever needs it. > That does not change even when explicitly listing all rights: > > [kdc1] /root # cat /var/heimdal/kadmind.acl > <myaccount>/admin@<MYREALM> cpw list delete modify add get get-keys That would be a bug. I'll see if I can reproduce it. Nico --
