Heimdal 7.3: ext_keytab fails with "Operation requires `get-keys' privilege"

Nico Williams nico at cryptonector.com
Wed Jun 28 01:23:26 CEST 2017

On Mon, Jun 26, 2017 at 11:18:28AM +0200, Andreas Haupt wrote:
> Heimdal 7.3 seems to suffer from a bug in privilege checking. A prinicipal
> having all rights on the database is unable to extract keytabs:

This is on purpose.

We decided that it was never a good idea for "all" to have meant
"extract keys", because in general that's not desirable.

Instead you should either use ext_keytab -r, or add the get-keys
privilege to whoever needs it.

> That does not change even when explicitly listing all rights:
> [kdc1] /root # cat /var/heimdal/kadmind.acl 
> <myaccount>/admin@<MYREALM> cpw list delete modify add get get-keys

That would be a bug.  I'll see if I can reproduce it.


More information about the Heimdal-discuss mailing list