> > I just realized that there was not much in the way of context from my > original message, so here is what I'm trying to do: > > If I want to allow the host principal for a given system to manage other > hostname-based principals for the same host (to enable some kind of > automation, say), based on the documentation, I would expect that an entry in > kadm5.acl that looks like this: > > host/*@MYREALM.COM x */*1...@myrealm.com > > would permit: > > host/system1.myrealm....@myrealm.com > > to create: > > nfs/system1.myrealm....@myrealm.com > > or > > HTTP/system1.myrealm....@myrealm.com >
Here's the thing about this... When I crafted my acl entry (above) I took the kadm5.acl document's comment about back-references: "*1 denotes a back-reference to the component matching the first wildcard in the actor principal." to mean the first wildcard not the first component. So I thought that *1 ref's the first wildcard'd component, *2 the second, etc. It seems that I was mistaken here, and *1 is a back-reference to the first component of any kind. In my case, the first wildcard is the second component, so I've just realized that my acl line *should* have read: host/*@MYREALM.COM x */*2...@myrealm.com which works as expected. In the previous version of the line, *1 was just matching the string "host", which does no one any good at all. jd ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
