[36831] in Kerberos
Re: back-referenced wildcards in kadm5.acl
daemon@ATHENA.MIT.EDU (John Devitofranceschi)
Sat Mar 7 16:08:13 2015
Date: Sat, 07 Mar 2015 16:07:51 -0500
From: John Devitofranceschi <jdvf@optonline.net>
In-reply-to: <EEE7D41A-00E8-4F7F-9044-8389519995BF@optonline.net>
To: Kenneth MacDonald <Kenneth.MacDonald@ed.ac.uk>
Message-id: <8AD6E24F-1B5E-4FEE-8EC2-4104AC04EA7B@optonline.net>
MIME-version: 1.0
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
> On Mar 7, 2015, at 3:17 PM, John Devitofranceschi <jdvf@optonline.net> wrote:
>
>
>> On Jul 17, 2014, at 7:45 PM, Kenneth MacDonald <Kenneth.MacDonald@ed.ac.uk> wrote:
>>
>> Quoting John Devitofranceschi <jdvf@optonline.net> on Thu, 17 Jul 2014
>> 15:51:06 -0400:
>>
>>>
>>>> On Jul 17, 2014, at 12:37, Greg Hudson <ghudson@MIT.EDU> wrote:
>>>>
>>>>> On 07/16/2014 06:34 PM, John Devitofranceschi wrote:
>>>>> host/*@MYREALM.COM x */*1@MYREALM.COM
>>>>
>>>> This works for me in 1.11, 1.12, and the master branch. So, your
>>>> expectation isn't unreasonable, but I'm not sure why it doesn't work for
>>>> you.
>>>>
>>>> Note that kadmind will not reread its ACL file until it is restarted.
>>>
>>> I can get it to work with other wild card use cases, like:
>>>
>>> *@MYREALM.COM cli *1/admin@MYREALM.COM
>>>
>>> Just not the example I gave originally.
>>
>> This is because the wildcard matching only operates on whole
>> components, not substrings of them. There are various patches
>> floating around that extend this to regular expressions or substrings.
>> I have one, but I'm on holiday at the moment. I'll try to remember
>> to follow up when I get back.
>
> I just started looking into this again, this time with 1.13.1 and my results are the same as when I tried last year.
>
> Any patches or advice welcome!
>
> jd
I just realized that there was not much in the way of context from my original message, so here is what I'm trying to do:
If I want to allow the host principal for a given system to manage other hostname-based principals for the same host (to enable some kind of automation, say), based on the documentation, I would expect that an entry in kadm5.acl that looks like this:
host/*@MYREALM.COM x */*1@MYREALM.COM
would permit:
host/system1.myrealm.com@MYREALM.COM
to create:
nfs/system1.myrealm.com@MYREALM.COM
or
HTTP/system1.myrealm.com@MYREALM.COM
jd
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos