 |
» |
|
|
|
The /opt/krb5/admin_acl_file file located only on the primary security server,
lists authorized principals with their respective administrative
permissions. It also lists principals that you cannot modify without
explicit privileges. | | | |  | NOTE: Protect admin_acl_file with appropriate read-write privileges with access only
to the root user | | | | |
The kadmind command checks the permissions of the principal
in admin_acl_file. You can edit admin_acl_file directly on the primary security server, or remotely
using the Administrative Permissions window of the HP Kerberos Administrator. The general format of admin_acl_file is as follows: identifier/instance@REALM [perms_list] [# comments] |
where: - identifier
Specifies the name of the principal. - instance
Specifies the administrative instance associated
with the principal. HP recommends that you add an admin instance to each administrative principal name. If the prinicpal resides in the default realm of the primary
security server, @REALM is optional. Otherwise, you must explicitly specify
the realm of the principal. - [perms_list]
Specifies the permissions. You can add one or more permissions
listed in Table 8-2 “Administrative Permission Settings”, without any
space between the letters. - [# comment]
Specifies any optional remarks about the principal. Characters
after the # (hash) symbol are ignored.
Each line in admin_acl_file matches an administrative principal with a set
of permissions. You can also use
wildcards to enter groups of principal names. Assigning
Administrative Permissions | |
Administrative principals may have varying levels of trust
assigned to them, depending on the policies of your organization. Table 8-2 “Administrative Permission Settings” lists the possible
administrative permission settings and the letter designator used
in admin_acl_file to indicate the permissions assigned to the principal
account. Table 8-2 Administrative Permission Settings Administrator Field Name | ACL File Character |
|---|
Add principals. | a or A | | Change principal passwords. | c or C | | Delete principals. | d or D | Edit admin_acl_file. | | | | | NOTE: You cannot restrict this setting
by using the r or R permission. | | | | |
| e or E | | Edit group defaults. | g or G | | Inquire about principals. You can assign this
attribute to all administrative principals to allow use of the administrative
tools. | i or I | List principal. This is redundant with i or I. | | | | | NOTE: This permission is not displayed
in the HP Kerberos Administrator. | | | | |
| l or L | | Modify principals. | m or M | | Extract keys. | x or X | | Restricted administrator. Use the r, R, and Rr modifiers in combination with a, A, c, C, d, D, i, I, m, M, or x. The X modifier allows you to permit administrative principals
to use those options only against certain principals. | r or R |
Permissions designated with a lowercase letter apply only
to those realms to which the administrative principal belongs. Permissions designated
with an uppercase letter apply to all realms. [permissions] is an optional string containing one or more
options listed in Table 8-2 “Administrative Permission Settings”. The restricted administrator setting is a modifier that you
must use in conjunction with permissions. You must consider the
following guidelines before using the r, R and Rr modifiers: The order
of the permission letters is irrelevant. The e, E, g and G switches are not affected by the r and R permissions. The * (asterisk) symbol overrides the r and R switches
For more information, see “Using
Restricted Administrator”. The principal can also include the asterisk (*) wildcard because admin_acl_file supports the following identifier/instance wildcards: This format makes it easier to add groups of principal names
to the file. Therefore, if you want any principal with the instance admin to have permissions to administer the database,
you can use the principal */admin@REALM, where REALM is your realm of the primary security server. For example, to grant all principals with the admin instance that need to have all the permissions
assigned to them, add the following entry to admin_acl_file: */admin@FINANCE.BAMBI.COM * |
where: - *
Denotes all prinicpals - admin
Specifies instance - FINANCE.BAMBI.COM
Denotes the realm name - *
Denotes permissions
To grant the principal rabbit@FINANCE.BAMBI.COM the permission to add, list, and inquire about any principal
in the database, add the following entry to admin_acl_file: rabbit@FINANCE.BAMBI.COM ali |
Adding
Entries to admin_acl_file | |
You can add any principal name to admin_acl_file with or without administrative permissions. To add a principal with assigned permissions, select the Principal Information window>Attribute
tab in the HP Kerberos Administrator. For more information,
see “Administrative
Permissions”. Consider the following guidelines before deciding on the principal
names that you want to add to admin_acl_file: A primary
security server must contain only one admin_acl_file. This file contains all the realms supported by
the primary security server. Any principal name that you
add to admin_acl_file must have adequate protection because only trusted
administrative principals must be able to alter the principal account
using the remote administration tool. Principals in admin_acl_file that have assigned permissions can log on to the
administrative tools and become administrative principals.
The r, R, or Rr modifiers, when used with the a or A permission, restrict the principal names that you can
add to the database. For instance, principals assigned the IARiar permissions cannot add new principals that use the identifier/instance@REALM, which is already included in admin_acl_file. To take advantage of this restriction, consider
the names you may want to add to admin_acl_file. Creating
Administrative Accounts | |
You can set administrative permissions in admin_acl_file using one of the following methods: Using the HP
Kerberos Administrator to set administrative permissions. When you
change the administrative permissions of the principal, admin_acl_file is automatically updated. Editing admin_acl_file directly. To edit this file, you need to have the required
system file administration rights.
Using
Restricted Administrator | |
The r, R, and Rr modifiers are used with the a, A, c, C, d, D, i, I, m, M, x, or X permissions to permit administrative principals
to use those options only against certain principals. How
the r/R Modifiers WorkConsider the following factors while using the r, R, and Rr modifiers: The Rr modifiers restrict permissions for all principals
in admin_acl_file for all realms supported by the primary security server.
For example, administrative principals with IMRimr permission assigned cannot modify principals included
in admin_acl_file in any realm, including their own. They can only modify
principals that are not included in admin_acl_file. The e, E, g, and G permissions are not affected by the r, R, and Rr modifiers. Administrative principals
assigned with the icr or ICRicr permission are still able to change their own
passwords using the administrative tools. Permissions other than c and C are restricted for the restricted administrative
principals. For instance, principals assigned with the imr permission are not able to modify their own principal
accounts. An administrative principal with r or R in combination with e or E can use the Kerberos administrative utilities
to remove the r modifier from their admin_acl_file entry, for example: ier, IER, IERr, or IEr. Do not assign these permission combinations. Administrative principals
assigned with the ic, icr, IC, or ICR permission are able to change principal attributes
and extract service keys in addition to changing principal passwords.
According to the r and R modifier rules, restricted administrators can
only make the principal accounts, which are not included in
admin_acl_file, perform these actions.
|
Printable version
