kadmin cannot list principals "requires list privileges"

Question

I can authenticate fine via kadmin however cannot list principals?

[root@server ~]# kadmin -p admin
Authenticating as principal admin with password.
Password for admin@org.domain.com: 
kadmin:  listprincs 
get_principals: Operation requires ``list'' privilege while retrieving list.
kadmin:

any idea how I can fix this?

score 3 · Answer 1 · edited Jun 24 '15 at 14:46

3

If you want to operate on principals in FreeIPA, use 'ipa' command.

All users have Kerberos keys by default, so

ipa user-find

would give you all users (use ipa user-find --help to see limiting criteria)
All hosts are Kerberos principals by default, so

ipa host-find

would give you all host/fqdn@REALM principals.
All services are Kerberos principals and they are owned by hosts, so

ipa service-find

would give you list of all services and if their entries have Keytab: true it means they are Kerberos principals with defined keytab.

Use ipa service-mod if you need to change parameters of the service. Use ipa-getkeytab to retrieve a keytab for any of the principals.

Operations through kadmin/kadmin.local are not supported in FreeIPA.

edited Jun 24 '15 at 14:46

slm

7,355
16
54
72

answered Mar 02 '15 at 06:28

abbra

1,025
5
8

Very concise, thanks. Is this in the IPA docs? – Brian Topping Jul 07 '15 at 04:43
Sort of, not so concise. You can file a documentation bug if you like to see it in the docs. – abbra Jul 07 '15 at 05:40

score 2 · Answer 2 · answered Feb 18 '15 at 00:35

2

Unless your kdc.conf has an acl_file entry pointing to a different location, you should create/edit /var/lib/krb5kdc/kadm5.acl, kadm5.acl(5). However, this is for plain MIT-krb5. FreeIPA probably has its own methods for this.

answered Feb 18 '15 at 00:35

84104

12,698
6
43
75

kadmin cannot list principals "requires list privileges"

2 Answers2