back-referenced wildcards in kadm5.acl

[John Devitofranceschi]

> 
> I just realized that there was not much in the way of context from my original message, so here is what I'm trying to do:
> 
> If I want to allow the host principal for a given system to manage other hostname-based principals for the same host (to enable some kind of automation, say), based on the documentation, I would expect that an entry in kadm5.acl that looks like this:
> 
> host/*@MYREALM.COM x */*1 at MYREALM.COM
> 
> would permit:
> 
> 	 host/system1.myrealm.com at MYREALM.COM 
> 
> to create:
> 	
> 	nfs/system1.myrealm.com at MYREALM.COM
> 
> or
> 
> 	HTTP/system1.myrealm.com at MYREALM.COM
> 


Here's the thing about this...

When I crafted my acl entry (above) I took the kadm5.acl document's comment about back-references:

"*1 denotes a back-reference to the component matching the first wildcard in the actor principal."

to mean the first wildcard not the first component. So I thought that  *1 ref's the first wildcard'd component, *2 the second, etc.  It seems that I was mistaken here, and *1 is a back-reference to the first component of any kind.

In my case, the first wildcard is the second component, so I've just realized that my acl line *should* have read:

host/*@MYREALM.COM x */*2 at MYREALM.COM

which works as expected. In the previous version of the line, *1 was just matching the string "host", which does no one any good at all.

jd