[36853] in Kerberos
Re: back-referenced wildcards in kadm5.acl
daemon@ATHENA.MIT.EDU (John Devitofranceschi)
Tue Mar 17 07:12:12 2015
Date: Tue, 17 Mar 2015 07:11:50 -0400
From: John Devitofranceschi <jdvf@optonline.net>
In-reply-to: <B7B4BFCF-CC5C-4C54-9F54-301408108236@optonline.net>
To: kerberos@mit.edu
Message-id: <F85FE487-CDE3-4CD6-BCC4-455ED86527BC@optonline.net>
MIME-version: 1.0
Content-Type: multipart/mixed; boundary="===============0727354466=="
Errors-To: kerberos-bounces@mit.edu
--===============0727354466==
Content-type: multipart/signed;
boundary="Apple-Mail=_3AC87C56-A417-45AD-8CF1-0B6E2A0A665A";
protocol="application/pkcs7-signature"; micalg=sha1
--Apple-Mail=_3AC87C56-A417-45AD-8CF1-0B6E2A0A665A
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=us-ascii
> On Mar 10, 2015, at 5:47 PM, John Devitofranceschi =
<jdvf@optonline.net> wrote:
> ...
> In my case, the first wildcard is the second component, so I've just =
realized that my acl line *should* have read:
>=20
> host/*@MYREALM.COM x */*2@MYREALM.COM
>=20
> which works as expected. In the previous version of the line, *1 was =
just matching the string "host", which does no one any good at all.
>=20
Okay, just ignore all that...
It turns out there's an issue with how kadmind deals with =
back-referenced wildcards and the problems I've been experiencing are =
the result of this flaw. See: =
http://krbdev.mit.edu/rt/Ticket/Display.html?id=3D8154
Once the fix described there is applied, things work as documented.=20
Also, check out http://krbdev.mit.edu/rt/Ticket/Display.html?id=3D8155, =
which describes a problem with how acl entry restrictions are =
documented. You should use the principal flag syntax described for =
default_principal_flags as they're used in kdc.conf, *not* the ones used =
by kadmin for addprinc/modprinc. If the restriction is not parsed =
properly, ACL entry is discarded completely.
=20
Thanks to Greg Hudson for looking into these issues!
jd
--Apple-Mail=_3AC87C56-A417-45AD-8CF1-0B6E2A0A665A
Content-Disposition: attachment;
filename=smime.p7s
Content-Type: application/pkcs7-signature;
name=smime.p7s
Content-Transfer-Encoding: base64
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIF6DCCBeQw
ggPMoAMCAQICAxBgkDANBgkqhkiG9w0BAQ0FADB5MRAwDgYDVQQKEwdSb290IENBMR4wHAYDVQQL
ExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNBIENlcnQgU2lnbmluZyBBdXRob3Jp
dHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRAY2FjZXJ0Lm9yZzAeFw0xNTAzMTQxNDM4MzlaFw0x
NzAzMTMxNDM4MzlaMIGFMR4wHAYDVQQDExVKb2huIERldml0b2ZyYW5jZXNjaGkxITAfBgkqhkiG
9w0BCQEWEmpkdmZAb3B0b25saW5lLm5ldDEfMB0GCSqGSIb3DQEJARYQamR2ZkBob3RtYWlsLmNv
bTEfMB0GCSqGSIb3DQEJARYQZm9vbm9uQGdtYWlsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAK4hgmTqZnFEjGB/yk+/J5guSzz71ZVuemKLvEmRvDznUHJ/o8+NqgdWc87WILzB
8cCgfvjR8gtCe555md2xYof9NrNuFShKfTpP5mvG/ny4RYn1uq6FVgY5qBgz+4UDzE3W1ZniRIT6
EruOeawVpsl03AmaSbQNPXZTpxr6BiIfdnhEexuxXdJX9ytMM2yf20U/L/hmIuu+ML9bvXdsJNHn
iytTxDxB4v1BaplLKnQIvr8nvP8MuaOSUDP6SrAOkXgLFG0lqB6YLSW66aj1i1YHkQDK95iO+X0C
3l7iLJvCiVnG/PTFNdu2mZrJ0KzVzI0SJwvH4v0qSMcc8WaQ55cCAwEAAaOCAWYwggFiMAwGA1Ud
EwEB/wQCMAAwVgYJYIZIAYb4QgENBEkWR1RvIGdldCB5b3VyIG93biBjZXJ0aWZpY2F0ZSBmb3Ig
RlJFRSBoZWFkIG92ZXIgdG8gaHR0cDovL3d3dy5DQWNlcnQub3JnMA4GA1UdDwEB/wQEAwIDqDBA
BgNVHSUEOTA3BggrBgEFBQcDBAYIKwYBBQUHAwIGCisGAQQBgjcKAwQGCisGAQQBgjcKAwMGCWCG
SAGG+EIEATAyBggrBgEFBQcBAQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9vY3NwLmNhY2VydC5v
cmcwMQYDVR0fBCowKDAmoCSgIoYgaHR0cDovL2NybC5jYWNlcnQub3JnL3Jldm9rZS5jcmwwQQYD
VR0RBDowOIESamR2ZkBvcHRvbmxpbmUubmV0gRBqZHZmQGhvdG1haWwuY29tgRBmb29ub25AZ21h
aWwuY29tMA0GCSqGSIb3DQEBDQUAA4ICAQCqiwk6dIVSS4Q7t3vXmhNrORxhHD2R44a2h8wd43+P
x19y59yZe9Jio4N7gFTJ2QLrxE6hDbBlJBZ7EgVLfDVqBWVGt2nvERDrCtzPr/uze2KmPEA1Smpk
sLAuWp2gDUKflWNL2NLInGCsuqdYkfqxCB1Kc+ws6DhZtHt83SjktGodh66pBTRrpfDSUEsY/3VR
q+kgjjQyNIYWyi2rsJQ7gP/e8YfGJC43TYwpfpcRM/rKwanUVgSMVwhSow9cQ3m3HYGyHB3+7WcV
orsP9u1I57FXyIHMKWmjmLNizzhVY05pM2Cd/T/7PS3ZNig53kclY4hx/XwRPjY3aHahhZacNKh+
96ImmxgJljJfQkc9avy7zZnsAb4neUUiYOacS1y5wPhGzIYor5gy6nQYT2g/nE6bAsaljNJICHWD
TwUuQqYUq39eN5RUGSxUVPM+sQts/BEAFh2Autk/nM6HWsO/bqpdAJNtE4w8zUFB3Wo72DAauA08
ADIw5UOulnmEqb1p2HlOYy1WdGy5xnuoG6EpppRujEC/a6gWcRvdCj4zrRR+dc9I5sohl3zyikff
I583wuX04H4d81EcLgrJGzUjIvQVSpDCdqgUrG8yOqnWzekZwIWLFwsr17h5vRmE4bruvUsAD4iW
J+fn5bezyENj6haxbkVqhGA98EjWh+0ehjGCAzMwggMvAgEBMIGAMHkxEDAOBgNVBAoTB1Jvb3Qg
Q0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZQ0EgQ2VydCBTaWdu
aW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9ydEBjYWNlcnQub3JnAgMQYJAwCQYF
Kw4DAhoFAKCCAYcwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTUw
MzE3MTExMTUxWjAjBgkqhkiG9w0BCQQxFgQUsCEr9D80tQtNJQEnOSPj5TAd+90wgZEGCSsGAQQB
gjcQBDGBgzCBgDB5MRAwDgYDVQQKEwdSb290IENBMR4wHAYDVQQLExVodHRwOi8vd3d3LmNhY2Vy
dC5vcmcxIjAgBgNVBAMTGUNBIENlcnQgU2lnbmluZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEW
EnN1cHBvcnRAY2FjZXJ0Lm9yZwIDEGCQMIGTBgsqhkiG9w0BCRACCzGBg6CBgDB5MRAwDgYDVQQK
EwdSb290IENBMR4wHAYDVQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNBIENl
cnQgU2lnbmluZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRAY2FjZXJ0Lm9yZwID
EGCQMA0GCSqGSIb3DQEBAQUABIIBADAb+48kDR5OhVdNY3LPSWTip1xwVQu6Qg31u36RR1MYg2kM
qLBhhi9FJ9QDYjllIYTmFkOv0lCn0rMSZnNVwmbmhj5gii2F84S4p8GT1lZaX/zJBhmyd/zWqmSO
NsrRkDg+aPhO62mIsj5RO1v3zbs0XtQbfsoISLhpdzNVVXiJGoP/HWqZkXGhXXCqH8ccaCm+JFWh
GqCsheM0VI8e0Av0WD8klQ+FGLj5d+nKqbMK/rVVmm2TXWzzQB/Hoc6uPt0xyJRIPD83RI1iPWYa
8iBgzbaeNNDSI45R4whAbicmb7+HTlwBHaP83epXaRuM8tDaVZFPbrY5ww0AgTliGLoAAAAAAAA=
--Apple-Mail=_3AC87C56-A417-45AD-8CF1-0B6E2A0A665A--
--===============0727354466==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
--===============0727354466==--
