Laura Smith <[email protected]> writes: > I am trying to create a suitably restricted user for use with > configuration automation (SaltStack ). My line looks like the following:
> saltstack/[email protected] ADMCIL nfs/*@EXAMPLE.COM > I have edited kadm5.acl and restarted kadmind, however list_princs > returns a list of all principals, not just nfs/* ? > If I remove the target column (i.e. saltstack/[email protected] ADMCIL) > and restart kadmind, then ADMCIL operates as expected (blocks > list_princs entirely). I don't believe the "l" permission supports the target field. I think it's all or nothing: either you can list all principals or you can't. The man page for kadm5.acl seems to support that: l [Dis]allows the listing of all principals or policies -- Russ Allbery ([email protected]) <https://www.eyrie.org/~eagle/> ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
