ACLs question

Douglas E. Engert deengert at anl.gov
Wed Jul 28 11:40:19 EDT 2004



Bob Dowling wrote:
> 
> I'm running a KCD/kadmind on a Fedora box using Fedora's packages (1.3.1
> release 6) and am having problems with my wildcarded ACLs.
> 
> My situation is that I have a DNS domain with a very large number of
> subdomains (and subsubdomains etc. ad nauseam) whose computers may require
> host principals.  I would like to be able to delegate control of these to
> the people responsible for the computers in each subdomain (departmental
> computing staff, conscripted PhD students, etc.).
> 
> I have been able to get wildcard ACLs working of the form
> 
> rjd4/manager at TEST.CAM.AC.UK     *       host/*@TEST.CAM.AC.UK
> 
> but not of the form
> 
> rjd4/manager at TEST.CAM.AC.UK     *       host/*.foo.cam.ac.uk at TEST.CAM.AC.UK
> 
> though there are no parse errors reported to the kadmind logs.
> 
> Am I doing something wrong or is this a genuine limitation in the parsing
> of the ACLs file?  If the latter could I propose that kadmind logs
> something about not being able to parse a line in kadm5.acl?


FNAL  (fnal.gov) has a mod to src/lib/kadm5/srv/server_acl.c:
 
 /*
  * acl_match_data_sub() See if two data entries match
  *
  * But compare as a domain name, which allows wildcarding
  * for domain components. We will pass each component to 
  * acl_match_data
  */

You may want to ask someone there for the modification. 


> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

-- 

 Douglas E. Engert  <DEEngert at anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444


More information about the Kerberos mailing list