Installing, Configuring and Administering the Kerberos Server V 2.0 on HP-UX 11i

Administration

admin_acl_ﬁle

Chapter 698

FINANCE.BAMBI.COM realm name

* all permissions

To grant the principal, rabbit@FINANCE.BAMBI.COM, permission to add,

list and inquire about any principal in the database, you can add the

following line into the acl ﬁle:

rabbit@FINANCE.BAMBI.COM ali

Adding Entries to the admin_acl_ﬁle

You can add any principal name to the admin_acl_file as an entry with

or without assigned administrative permissions.

To add a principal with assigned permissions, use the Principal

Information’s attribute tab of kadminl_ui. Refer to “Administrative

Permissions” on page 160.

Deciding which principal names to add to the admin_acl_file is a

strategic decision. Consider the following:

• There should be only one admin_acl_file per primary server. All

realms supported by the primary server are included in this ﬁle.

• Any principal name added to this ﬁle should have adequate

protection, so that only the most trusted administrative principals

can alter the principal account using the remote administration tool.

• Principals in the admin_acl_file that have assigned permissions

can log on to the administrative tools, thereby becoming

administrative principals.

The r, R, or Rr modiﬁers, when used with the a or A permission, restrict

the principal names that can be added to the database. For instance,

principals assigned the ‘IARiar’ permissions cannot add new principals

that use an identifier/instance@REALM, which is already included in

the admin_acl_file.

To take advantage of this restriction, you must consider the names you

may want to add to the admin_acl_file.