> On Mar 10, 2015, at 5:47 PM, John Devitofranceschi <[email protected]> wrote: > ... > In my case, the first wildcard is the second component, so I've just realized > that my acl line *should* have read: > > host/*@MYREALM.COM x */*[email protected] > > which works as expected. In the previous version of the line, *1 was just > matching the string "host", which does no one any good at all. >
Okay, just ignore all that... It turns out there's an issue with how kadmind deals with back-referenced wildcards and the problems I've been experiencing are the result of this flaw. See: http://krbdev.mit.edu/rt/Ticket/Display.html?id=8154 Once the fix described there is applied, things work as documented. Also, check out http://krbdev.mit.edu/rt/Ticket/Display.html?id=8155, which describes a problem with how acl entry restrictions are documented. You should use the principal flag syntax described for default_principal_flags as they're used in kdc.conf, *not* the ones used by kadmin for addprinc/modprinc. If the restriction is not parsed properly, ACL entry is discarded completely. Thanks to Greg Hudson for looking into these issues! jd
smime.p7s
Description: S/MIME cryptographic signature
________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
