Is "/var/kerberos/krb5kdc/kadm5.acl" the only way to specify administrators in kerberos?

Question

The documentation for RHEL explains how to make users administrators through the /var/kerberos/krb5kdc/kadm5.acl file, but does not specify if this is the only way to do this. Are there any other ways to specify principals with administrative permissions in kerberos?

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/managing_smart_cards/configuring_a_kerberos_5_server#Setting_Up_Secondary_KDCs

score 1 · Answer 1 · answered Oct 11 '18 at 13:22

The acl_file (kadm5.acl by default) is not the only way to specify kerberos administrators. It also can be achieved via kadm5_auth interface:

The ACL file can coexist with other authorization modules in release 1.16 and later, as configured in the kadm5_auth interface section of krb5.conf. The ACL file will positively authorize operations according to the rules above, but will never authoritatively deny an operation, so other modules can authorize operations in addition to those authorized by the ACL file.

Source: MIT Kerberos Documentation

Is "/var/kerberos/krb5kdc/kadm5.acl" the only way to specify administrators in kerberos?

1 Answers1