I have OpenLDAP, Named and a DHCP server configured with Kerberos, however it seems I can't correctly set the ACL in /etc/krb5/kadm5.acl correctly. Use case:
$ vi /etc/krb5/kadm5.acl
u00/admin@DEV0 acdilm *@DEV0
$ kadmin -p u00/admin@DEV0
listprincs *DEV0
There is an error that the operation requires the list privilege, which I provided in above ACL.
If I change to this, listprincs works:
$ vi /etc/krb5/kadm5.acl
u00/admin@DEV0 acdilm *
Either I'm writing this config file wrong or there is a problem with globbing in the ACL file. Does anyone have this working?
I'm not sure how to protect security without ACLs, because I need to use kadmin to create a service and don't want to expose the entire REALM to administrative operations. Unless, as a workaround, I use ktutil to merge keytabs. FYI - I've been able to get ProFTPD and SSH Kerberized, which is working for testing.