6 Administrative privileges for the Kerberos database are stored in the file **kadm5.acl**.
8 The format of the file is::
10 Kerberos_principal permissions [target_principal] [restrictions]
12 The Kerberos principal (and optional target principal) can include the "\*" wildcard, so if you want any principal with the instance "admin" to have full permissions on the database, you could use the principal "\*\/admin\@REALM" where "REALM" is your Kerberos realm. *target_principal* can also include backreferences to *Kerberos_principal*, in which "number" matches the component number in the *Kerberos_principal*.
14 .. note:: A common use of an admin instance is so you can grant separate permissions (such as administrator access to the Kerberos database) to a separate Kerberos principal. For example, the user *joeadmin* might have a principal for his administrative use, called *joeadmin/admin*. This way, *joeadmin* would obtain *joeadmin/admin* tickets only when he actually needs to use those permissions.
18 The permissions are represented by single letters; UPPER-CASE letters represent negative permissions. The permissions are:
20 === =====================================
21 a allows the addition of principals or policies in the database.
22 A disallows the addition of principals or policies in the database.
23 c allows the changing of passwords for principals in the database.
24 C disallows the changing of passwords for principals in the database.
25 d allows the deletion of principals or policies in the database.
26 D disallows the deletion of principals or policies in the database.
27 i allows inquiries to the database.
28 I disallows inquiries to the database.
29 l allows the listing of principals or policies in the database.
30 L disallows the listing of principals or policies in the database.
31 m allows the modification of principals or policies in the database.
32 M disallows the modification of principals or policies in the database.
33 p allow the propagation of the principal database (Used in :ref:`incr_db_prop_label`).
34 P disallow the propagation of the principal database (Used in :ref:`incr_db_prop_label`).
35 s allows the explicit setting of the key for a principal
36 S disallows the explicit setting of the key for a principal
37 \* All privileges (admcil).
38 x All privileges (admcil); identical to "\*".
39 === =====================================
43 The restrictions are a string of flags. Allowed restrictions are:
45 ======================== ============================
46 [+\|-]flagname flag is forced to indicated value. The permissible flags are the same as the + and - flags for the kadmin addprinc and modprinc commands.
47 -clearpolicy policy is forced to clear
48 -policy *pol* policy is forced to be *pol*
52 -maxrenewlife time associated value will be forced to MIN(time, requested value)
53 ======================== ============================
55 The above flags act as restrictions on any add or modify operation which is allowed due to that ACL line.
59 Here is an example of a *kadm5.acl* file::
61 */admin@ATHENA.MIT.EDU *
62 joeadmin@ATHENA.MIT.EDU ADMCIL
63 joeadmin/*@ATHENA.MIT.EDU il */root@ATHENA.MIT.EDU
64 *@ATHENA.MIT.EDU cil *1/admin@ATHENA.MIT.EDU
66 */admin@EXAMPLE.COM * -maxlife 9h -postdateable
68 .. note:: The order is important; permissions are determined by the first matching entry.
70 In the above file, any principal in the *ATHENA.MIT.EDU* realm with an admin instance has all administrative privileges. The user *joeadmin* has all permissions with his admin instance, *joeadmin/admin@ATHENA.MIT.EDU* (matches the first line). He has no permissions at all with his null instance, *joeadmin@ATHENA.MIT.EDU* (matches the second line). His root instance has inquire and list permissions with any other principal that has the instance root. Any principal in *ATHENA.MIT.EDU* can inquire, list, or change the password of their admin instance, but not any other admin instance. Any principal in the realm *ATHENA.MIT.EDU* (except for *joeadmin@ATHENA.MIT.EDU*, as mentioned above) has inquire privileges. Finally, any principal with an admin instance in EXAMPLE.COM has all permissions, but any principal that they create or modify will not be able to get postdateable tickets or tickets with a life of longer than 9 hours.
76 Please, provide your feedback at krb5-bugs@mit.edu?subject=Documentation___db_princs