Bug#717660: "all" rights does not include "get-keys" in kadmind.acl

Sun, 11 Aug 2019 06:18:54 -0700

On Sun, 31 Mar 2019 00:55:56 -0700 "A. Lewenberg" <deb...@lewenberg.com> wrote:
There is an issue addressing this at the GitHub project: https://github.com/heimdal/heimdal/issues/532 

I believe this issue can be closed.
The issue where kadmin extracts an "empty" keytab if the principal running the extract command does not have the get-keys privilege has been fixed in the Heimdal 7.7.0 release.
Here is an example of what I see when I attempt to extract a keytab but do not have the get-keys privilege: 

kdc-dev2:/root# kadmin -p johndoe
kadmin> ext_keytab -k /tmp/a.keytab service/zimbra
john...@example.com's Password:
kadmin: ext service/zimbra: Operation requires `get-keys' privilege
kadmin>

Here is the same command from the command line:
kdc-dev2:/root# kadmin -p whm -- ext_keytab -k /tmp/a.keytab service/zimbra 
w...@example.com's Password:
kadmin: ext service/zimbra: Operation requires `get-keys' privilege
kdc-dev2:/root# echo $?
1
Now here is the same command but using a principal _with_ the get-keys privilege:
kdc-dev2:/root# kadmin -p janeroe-- ext_keytab -k /tmp/a.keytab service/zimbra 
jane...@example.com's Password:
kdc-dev2:/root# ktutil -k /tmp/a.keytab  list
/tmp/a.keytab:

Vno  Type                     Principal                    Aliases
 10  aes256-cts-hmac-sha1-96  service/zim...@example.com
 10  aes128-cts-hmac-sha1-96  service/zim...@example.com
 10  des3-cbc-sha1            service/zim...@example.com
 10  arcfour-hmac-md5         service/zim...@example.com






On Sat, 09 Nov 2013 15:50:56 +0100 Per Olofsson <pe...@dsv.su.se> wrote:
> Hi,
> > When we upgraded our KDC to Debian wheezy, newly extracted keytabs did > not work anymore. After some digging around, I found the error: I did > not have the "get-keys" right so kadmind did not return any keys when I > extracted keytabs. However: > > * kadmin did not return an error message, it simply extracted an > unusable keytab with principals but no keys. > > * I had the "all" right in kadmind.acl, but apparently it does not > include the "get-keys" right. > > * The manual page for kadmind says nothing about it. > > I think the "all" right in kadmind.acl should include the get-keys > right. Otherwise, there should be an error message in kadmin and it > should be documented that "all" does not include get-keys. > > This was also reported as a Debian bug: 
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=717660
> > Thanks in advance! > > -- > Pelle > >

Reply via email to