[36836] in Kerberos
Re: back-referenced wildcards in kadm5.acl
daemon@ATHENA.MIT.EDU (John Devitofranceschi)
Tue Mar 10 17:48:11 2015
Date: Tue, 10 Mar 2015 17:47:47 -0400
From: John Devitofranceschi <jdvf@optonline.net>
In-reply-to: <8AD6E24F-1B5E-4FEE-8EC2-4104AC04EA7B@optonline.net>
To: kerberos@mit.edu
Message-id: <B7B4BFCF-CC5C-4C54-9F54-301408108236@optonline.net>
MIME-version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
>
> I just realized that there was not much in the way of context from my original message, so here is what I'm trying to do:
>
> If I want to allow the host principal for a given system to manage other hostname-based principals for the same host (to enable some kind of automation, say), based on the documentation, I would expect that an entry in kadm5.acl that looks like this:
>
> host/*@MYREALM.COM x */*1@MYREALM.COM
>
> would permit:
>
> host/system1.myrealm.com@MYREALM.COM
>
> to create:
>
> nfs/system1.myrealm.com@MYREALM.COM
>
> or
>
> HTTP/system1.myrealm.com@MYREALM.COM
>
Here's the thing about this...
When I crafted my acl entry (above) I took the kadm5.acl document's comment about back-references:
"*1 denotes a back-reference to the component matching the first wildcard in the actor principal."
to mean the first wildcard not the first component. So I thought that *1 ref's the first wildcard'd component, *2 the second, etc. It seems that I was mistaken here, and *1 is a back-reference to the first component of any kind.
In my case, the first wildcard is the second component, so I've just realized that my acl line *should* have read:
host/*@MYREALM.COM x */*2@MYREALM.COM
which works as expected. In the previous version of the line, *1 was just matching the string "host", which does no one any good at all.
jd
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
