ACLs question

Bob Dowling rjd4 at cam.ac.uk
Wed Jul 28 06:51:07 EDT 2004


I'm running a KCD/kadmind on a Fedora box using Fedora's packages (1.3.1 
release 6) and am having problems with my wildcarded ACLs.

My situation is that I have a DNS domain with a very large number of 
subdomains (and subsubdomains etc. ad nauseam) whose computers may require 
host principals.  I would like to be able to delegate control of these to 
the people responsible for the computers in each subdomain (departmental 
computing staff, conscripted PhD students, etc.).  

I have been able to get wildcard ACLs working of the form

rjd4/manager at TEST.CAM.AC.UK	*	host/*@TEST.CAM.AC.UK

but not of the form

rjd4/manager at TEST.CAM.AC.UK	*	host/*.foo.cam.ac.uk at TEST.CAM.AC.UK

though there are no parse errors reported to the kadmind logs.

Am I doing something wrong or is this a genuine limitation in the parsing 
of the ACLs file?  If the latter could I propose that kadmind logs 
something about not being able to parse a line in kadm5.acl?


More information about the Kerberos mailing list