Administering the Kerberos Server
The admin_acl_file File
Permissions designated with a lowercase letter apply only to those realms to which the administrative principal belongs. Permissions designated with an uppercase letter apply to all realms. [permissions] is an optional string containing one or more options listed in Table
The restricted administrator setting is a modifier that you must use in conjunction with permissions. You must consider the following guidelines before using the r, R and Rr modifiers:
•The order of the permission letters is irrelevant.
•The e, E, g and G switches are not affected by the r and R permissions.
•The * (asterisk) symbol overrides the r and R switches
For more information, see “Using Restricted Administrator” on page 117.
The principal can also include the asterisk (*) wildcard because admin_acl_file supports the following identifier/instance wildcards:
•*/instance
•identifier/*
This format makes it easier to add groups of principal names to the file. Therefore, if you want any principal with the instance admin to have permissions to administer the database, you can use the principal */admin@REALM, where REALM is your realm of the primary security server.
For example, to grant all principals with the admin instance that need to have all the permissions assigned to them, add the following entry to admin_acl_file:
*/admin@FINANCE.BAMBI.COM *
where: |
|
* | Denotes all prinicpals |
admin | Specifies instance |
FINANCE.BAMBI.COM Denotes the realm name
* | Denotes permissions |
Chapter 8 | 115 |