First I will like to add a user to the ADMIN ACL , for that purpose I modified the remctl.conf and substituted each line with ANYUSER for the path to a ACL file.
I will like to add only one user to the acl. I tried to write directly the username@realm in the file without success. Could you tell me what is the format in which I should write the ACL file?
________________________________________
From: Russ Allbery [
rra@stan...]
Sent: 02 May 2012 18:15
To: Sebastian Galiano
Cc: Jeff Blaine;
kerberos@mit....
Subject: Re: Streamlining host principal keytab provisioning?
Sebastian Galiano <
Sebastian.Galiano@spil...> writes:
> Ok, as you pointed I didnt had a principal for the wallet server (it is
> also the kdc server). Adding the principal solved that problem. Now to
> the same command:
> $wallet -f keytab get keytab nfs/hostname.REALMNAME
> wallet: username@REALMNAME not authorized to create keytab:nfs/host.REALMNAME
That's an error from the wallet server, not from remctld or from Kerberos.
wallet doesn't pay any attention to the kadmin ACLs; it maintains its own
database of objects and ACLs for who can download them. So you have to
either set up autocreation (see the Wallet::Config man page or perldoc
under "DEFAULT OWNERS"), or you need to pre-create the object as a user
listed in the ADMIN ACL. For example:
wallet create keytab nfs/<fqdn>
wallet acl create user/<username> krb5 <username>@<realm>
wallet owner keytab nfs/<fqdn> user/<username>
wallet show keytab nfs/<fqdn> will show you the existing wallet record for
that particular object.
--
Russ Allbery (
rra@stan...) <
http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list
Kerberos@mit....
https://mailman.mit.edu/mailman/listinfo/kerberos
opensubscriber is not affiliated with the authors of this message nor responsible for its content.
Delicious
Digg
reddit
Facebook
StumbleUpon
