Heimdal 7.3: ext_keytab fails with "Operation requires `get-keys' privilege"

Lars-Johan Liman liman at netnod.se
Wed Jun 28 07:28:59 CEST 2017

All (pun intended!),

On Mon, Jun 26, 2017 at 11:18:28AM +0200, Andreas Haupt wrote:
>> Heimdal 7.3 seems to suffer from a bug in privilege checking. A prinicipal
>> having all rights on the database is unable to extract keytabs:

nico at cryptonector.com:
> This is on purpose.

> We decided that it was never a good idea for "all" to have meant
> "extract keys", because in general that's not desirable.

I very seldom raise my voice on this mailing list, but here I must, on
sheer principal grounds.

Chosen names must have obvious meanings. To have a status called "all"
which isn't *ALL* is confusing at best. It will confuse the h-ll out of
sysadmins over the globe for years to come, wasting time and money for
no good purpose at all. I would have spent hours upon hours not
understanding what the problem was, had I run into this trap.

The "keep it simple" principle and the principle of least surprise are
two fundamental principles for successful system management.

Please fix this, either by changing the name "all" to "most" (or
preferrably to somthing better), or by changing the behaviour to be
*ALL*. Either is fine, but having "all" not mean *ALL* is not a good way

				Best regards,
				  /Lars-Johan Liman
# Lars-Johan Liman, M.Sc.               !  E-mail: liman at netnod.se
# Senior Systems Specialist             !  Tel: +46 8 - 562 860 12
# Netnod Internet Exchange, Stockholm   !  http://www.netnod.se/

More information about the Heimdal-discuss mailing list