ACLs question
Douglas E. Engert
deengert at anl.gov
Wed Jul 28 11:40:19 EDT 2004
Bob Dowling wrote:
>
> I'm running a KCD/kadmind on a Fedora box using Fedora's packages (1.3.1
> release 6) and am having problems with my wildcarded ACLs.
>
> My situation is that I have a DNS domain with a very large number of
> subdomains (and subsubdomains etc. ad nauseam) whose computers may require
> host principals. I would like to be able to delegate control of these to
> the people responsible for the computers in each subdomain (departmental
> computing staff, conscripted PhD students, etc.).
>
> I have been able to get wildcard ACLs working of the form
>
> rjd4/manager at TEST.CAM.AC.UK * host/*@TEST.CAM.AC.UK
>
> but not of the form
>
> rjd4/manager at TEST.CAM.AC.UK * host/*.foo.cam.ac.uk at TEST.CAM.AC.UK
>
> though there are no parse errors reported to the kadmind logs.
>
> Am I doing something wrong or is this a genuine limitation in the parsing
> of the ACLs file? If the latter could I propose that kadmind logs
> something about not being able to parse a line in kadm5.acl?
FNAL (fnal.gov) has a mod to src/lib/kadm5/srv/server_acl.c:
/*
* acl_match_data_sub() See if two data entries match
*
* But compare as a domain name, which allows wildcarding
* for domain components. We will pass each component to
* acl_match_data
*/
You may want to ask someone there for the modification.
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the Kerberos
mailing list