Laura Smith <n5d9xq3ti233xiyif...@protonmail.ch> writes: > I am trying to create a suitably restricted user for use with > configuration automation (SaltStack ). My line looks like the following:
> saltstack/ad...@example.com ADMCIL nfs/*@EXAMPLE.COM > I have edited kadm5.acl and restarted kadmind, however list_princs > returns a list of all principals, not just nfs/* ? > If I remove the target column (i.e. saltstack/ad...@example.com ADMCIL) > and restart kadmind, then ADMCIL operates as expected (blocks > list_princs entirely). I don't believe the "l" permission supports the target field. I think it's all or nothing: either you can list all principals or you can't. The man page for kadm5.acl seems to support that: l [Dis]allows the listing of all principals or policies -- Russ Allbery (ea...@eyrie.org) <https://www.eyrie.org/~eagle/> ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
