MIT Kerberos Documentation



The Kerberos kadmind daemon uses an Access Control List (ACL) file to manage access rights to the Kerberos database. For operations that affect principals, the ACL file also controls which principals can operate on which other principals.

The default location of the Kerberos ACL file is LOCALSTATEDIR/krb5kdc/kadm5.acl unless this is overridden by the acl_file variable in kdc.conf.


Empty lines and lines starting with the sharp sign (#) are ignored. Lines containing ACL entries have the format:

principal  permissions  [target_principal  [restrictions] ]


Line order in the ACL file is important. The first matching entry will control access for an actor principal on a target principal.


(Partially or fully qualified Kerberos principal name.) Specifies the principal whose permissions are to be set.

Each component of the name may be wildcarded using the * character.


Specifies what operations may or may not be performed by a principal matching a particular entry. This is a string of one or more of the following list of characters or their upper-case counterparts. If the character is upper-case, then the operation is disallowed. If the character is lower-case, then the operation is permitted.

a [Dis]allows the addition of principals or policies
c [Dis]allows the changing of passwords for principals
d [Dis]allows the deletion of principals or policies
i [Dis]allows inquiries about principals or policies
l [Dis]allows the listing of principals or policies
m [Dis]allows the modification of principals or policies
p [Dis]allows the propagation of the principal database (used in Incremental database propagation)
s [Dis]allows the explicit setting of the key for a principal
x Short for admcil. All privileges
* Same as x.

(Optional. Partially or fully qualified Kerberos principal name.) Specifies the principal on which permissions may be applied. Each component of the name may be wildcarded using the * character.

target_principal can also include back-references to principal, in which *number matches the corresponding wildcard in principal.


(Optional) A string of flags. Allowed restrictions are:

flag is forced to the indicated value. The permissible flags are the same as those for the default_principal_flags variable in kdc.conf.
policy is forced to be empty.
-policy pol
policy is forced to be pol.
-{expire, pwexpire, maxlife, maxrenewlife} time
(getdate time string) associated value will be forced to MIN(time, requested value).

The above flags act as restrictions on any add or modify operation which is allowed due to that ACL line.


If the kadmind ACL file is modified, the kadmind daemon needs to be restarted for changes to take effect.


Here is an example of a kadm5.acl file:

*/admin@ATHENA.MIT.EDU        *                           # line 1
joeadmin@ATHENA.MIT.EDU   ADMCIL                          # line 2
joeadmin/*@ATHENA.MIT.EDU il  */root@ATHENA.MIT.EDU       # line 3
*/root@ATHENA.MIT.EDU     cil *1@ATHENA.MIT.EDU           # line 4
*/*@ATHENA.MIT.EDU        i                               # line 5
*/admin@EXAMPLE.COM       x   * -maxlife 9h -postdateable # line 6

(line 1) Any principal in the ATHENA.MIT.EDU realm with an admin instance has all administrative privileges.

(lines 1-3) The user joeadmin has all permissions with his admin instance, joeadmin/admin@ATHENA.MIT.EDU (matches line 1). He has no permissions at all with his null instance, joeadmin@ATHENA.MIT.EDU (matches line 2). His root and other non-admin, non-null instances (e.g., extra or dbadmin) have inquire and list permissions with any principal that has the instance root (matches line 3).

(line 4) Any root principal in ATHENA.MIT.EDU can inquire, list, or change the password of their null instance, but not any other null instance. (Here, *1 denotes a back-reference to the component matching the first wildcard in the actor principal.)

(line 5) Any principal in the realm ATHENA.MIT.EDU (except for joeadmin@ATHENA.MIT.EDU, as mentioned above) has inquire privileges.

(line 6) Finally, any principal with an admin instance in EXAMPLE.COM has all permissions, but any principal that they create or modify will not be able to get postdateable tickets or tickets with a life of longer than 9 hours.


kdc.conf, kadmind