kadmin.acl usage.

[clockwork]

So we have a kerberos instance at work, and we'd like to delegate limited
admin abilities (namely host and service keytab creation) to some
developers. We dont want to create a seperate realm for this, and doing some
research on the ACL capabilities leads me to believe that this should be
doable. I'm thinking the following should work:

royce/admin at SIGSYS.ORG C  */lab.sigsys.org at SIGSYS.ORG

that should allow the dev in question 'royce' to create principle's for
host/foo2.lab.bit.org or http/foo.lab.bit.org (or anything in the .
lab.bit.org space) but not change any passwords. Will this work ? Most of
the docs refer to 'instance' and I'm not entirely sure that this logic
applies to names or specific things setup within the realm itself.

Any feedback or assistance is appreciated.

-C