dsr at mail.lns.cornell.edu
Sat Oct 30 20:32:34 EDT 2004
red at MIT.EDU (Rachel Elizabeth Dillon) writes:
> On Wed, Oct 27, 2004 at 07:54:45PM +0200, Fredrik Tolf wrote:
> > Is there no way to just add one single general rule to cover all users,
> > analogous to filename matching in Makefiles? That is, something like
> > this:
> > %/admin at REALM.COM x %/*@REALM.COM
> > Where, as in make, `%' would have to match the same thing in both
> > places?
> The manpage for kadmind does not suggest that any such rule exists. It
> might be a convenient thing to add in, or it might exist in the source
> but not be documented; I don't know.
The backref syntax for the MIT kadmind is *n, where n is the ordinal
number of the wildcard in the principal to be matched--so, e.g.
host/*@EXAMPLE.EDU ci host/*1 at EXAMPLE.EDU
lets a host set a new key for itself, but not for any other host
principal. I have not tried mixing this with target wildcards--I
*/admin at REALM.COM x *1/*@REALM.COM
to work, but I haven't tried it.
I found this by reading the source. I've been meaning to file a bug
report about the lack of documentation for this feature. It's a very
useful feature, so I'd hate for MIT to feel free to eliminate it as
The 10/8 that can be pinged is not the true 10/8.
More information about the Kerberos