On 1/13/20 3:44 AM, Laura Smith wrote: > Am aware of the list ordering requirement, and to that extent the ACL entry > in question was quite deliberately placed at the top.
kadmind will continue on if the operation's target doesn't match the entry's target. So if you have a later entry for, say, "*/admin *", then the line "saltstack/admin ADMCIL nfs/*" would serve to deny access to nfs/* principals (because of the uppercase permission bits), but would have no effect on other target principals, or on operations with no target like list_principals. The documentation could probably be clarified here; it talks about "the first matching entry", but doesn't say what has to match. > admcil nfs/@KRBTEST.COM, are you saying I should not be putting the wildcard > asterisk after nfs/ ? The wildcard asterix was there in the mail I sent out (I checked my outgoing mail), but was apparently mangled by a piece of email software. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
