wallet acls per glob

Ross Smith rjsm at umich.edu
Thu Oct 4 16:39:55 EDT 2012

Hi all,

I am working on setting up wallet in our environment and for the most part
have been please that it suits our needs well.  First a bit of background
on our setup.  We have two host keytabs per system to handle hosts changing
hostname without in person intervention.  When the system is loaded
initially, we require a user to authenticate to generate and deploy a
machine keytab.  The master keytab then has permissions to get the FQDN
keytab as necessary.

We would like to restrict certain acls to only reload certain hosts.  I
have a local patch to allow ldap-group acls.  An example of what I'd like
to setup is have members of the group foo-reloaders only be able to
autocreate acls for hosts with fqdn matching ^bar*.engin.umich.edu.  Is
there an easy way to do this with wallet as is? or how much work would it
be to implement something like this?


Ross Smith <rjsm at umich.edu>
College of Engineering - CAEN - Unix and Linux Support

More information about the Kerberos mailing list