Heimdal 7.3: ext_keytab fails with "Operation requires `get-keys' privilege"

Andreas Haupt andreas.haupt at desy.de
Mon Jun 26 11:18:28 CEST 2017

Dear all,

Heimdal 7.3 seems to suffer from a bug in privilege checking. A prinicipal
having all rights on the database is unable to extract keytabs:

[kdc1] /root # cat /var/heimdal/kadmind.acl 
<myaccount>/admin@<MYREALM> all

[chip-vm8] /root # kadmin -p <myaccount>/admin -a kdc1
kadmin> ext -k /root/keytab <principal>
<myaccount>/admin@<MYREALM>'s Password: 
kadmin: ext <principal>: Operation requires `get-keys' privilege

Kadmind logs the error:

Jun 26 11:11:08 kdc1 kadmind[10116]: connection from IPv4:<ip>
Jun 26 11:11:10 kdc1 kadmind[10564]: <myaccount>/admin@<MYREALM>: GET principal@<MYREALM>
Jun 26 11:11:10 kdc1 kadmind[10564]: GET: Operation requires `get-keys' privilege

That does not change even when explicitly listing all rights:

[kdc1] /root # cat /var/heimdal/kadmind.acl 
<myaccount>/admin@<MYREALM> cpw list delete modify add get get-keys

It works using 'kadmin -l ext -k /root/keytab <principal>', though. Other
commands like get, cpw, etc. work correctly.

Is this a known issue? Any idea for a workaround?

| Andreas Haupt            | E-Mail: andreas.haupt at desy.de
|  DESY Zeuthen            | WWW:    http://www-zeuthen.desy.de/~ahaupt
|  Platanenallee 6         | Phone:  +49/33762/7-7359
|  D-15738 Zeuthen         | Fax:    +49/33762/7-7216

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4873 bytes
Desc: not available
URL: <http://www.h5l.org/pipermail/heimdal-discuss/attachments/20170626/9678fe73/attachment.bin>

More information about the Heimdal-discuss mailing list