Administration
admin_acl_file
admin_acl_file
This file lists authorized principals with their respective administrative permissions. It also lists principals that cannot be modified without explicit privileges. This file is located only on the primary security server, at the following location:
/opt/krb5
It must be protected with appropriate
kadmind checks for the principal’s permissions in the admin_acl_file. The admin_acl_file can be edited directly on the primary server, or can also be edited remotely using the Administrative Permissions window of the Administrator.
The general format of the file is:
identifier/instance@REALM [perms_list] | [# comments] |
where,
identifier The principal’s name
instance The administrative instance associated with the principal. It is recommended that you add an admin instance to each administrative principal name.
If the prinicpal resides in the primary security server’s default realm, the @REALM is optional; else you will need to explicitly specify the principal’s realm.
[perms_list] You need to add one or more of the permissions letters listed in the table below, with no spaces between them.
[# comment] Contains any optional remarks about the principal. Characters after the pound symbol are ignored.
Each line in the admin_acl_file matches an administrative principal with a set of permissions. Wildcards can also be used to enter groups of principal names.
Chapter 6 | 95 |