> On Mar 7, 2015, at 3:17 PM, John Devitofranceschi <[email protected]> wrote: > > >> On Jul 17, 2014, at 7:45 PM, Kenneth MacDonald <[email protected]> >> wrote: >> >> Quoting John Devitofranceschi <[email protected]> on Thu, 17 Jul 2014 >> 15:51:06 -0400: >> >>> >>>> On Jul 17, 2014, at 12:37, Greg Hudson <[email protected]> wrote: >>>> >>>>> On 07/16/2014 06:34 PM, John Devitofranceschi wrote: >>>>> host/*@MYREALM.COM x */*[email protected] >>>> >>>> This works for me in 1.11, 1.12, and the master branch. So, your >>>> expectation isn't unreasonable, but I'm not sure why it doesn't work for >>>> you. >>>> >>>> Note that kadmind will not reread its ACL file until it is restarted. >>> >>> I can get it to work with other wild card use cases, like: >>> >>> *@MYREALM.COM cli *1/[email protected] >>> >>> Just not the example I gave originally. >> >> This is because the wildcard matching only operates on whole >> components, not substrings of them. There are various patches >> floating around that extend this to regular expressions or substrings. >> I have one, but I'm on holiday at the moment. I'll try to remember >> to follow up when I get back. > > I just started looking into this again, this time with 1.13.1 and my results > are the same as when I tried last year. > > Any patches or advice welcome! > > jd
I just realized that there was not much in the way of context from my original message, so here is what I'm trying to do: If I want to allow the host principal for a given system to manage other hostname-based principals for the same host (to enable some kind of automation, say), based on the documentation, I would expect that an entry in kadm5.acl that looks like this: host/*@MYREALM.COM x */*[email protected] would permit: host/[email protected] to create: nfs/[email protected] or HTTP/[email protected] jd ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
