back-referenced wildcards in kadm5.acl

John Devitofranceschi jdvf at optonline.net
Tue Mar 17 07:11:50 EDT 2015


> On Mar 10, 2015, at 5:47 PM, John Devitofranceschi <jdvf at optonline.net> wrote:
> ...
> In my case, the first wildcard is the second component, so I've just realized that my acl line *should* have read:
> 
> host/*@MYREALM.COM x */*2 at MYREALM.COM
> 
> which works as expected. In the previous version of the line, *1 was just matching the string "host", which does no one any good at all.
> 

Okay, just ignore all that...

It turns out there's an issue with how kadmind deals with back-referenced wildcards and the problems I've been experiencing are the result of this flaw. See: http://krbdev.mit.edu/rt/Ticket/Display.html?id=8154

Once the fix described there is applied, things work as documented. 

Also, check out http://krbdev.mit.edu/rt/Ticket/Display.html?id=8155, which describes a problem with how acl entry restrictions are documented. You should use the principal flag syntax described for default_principal_flags as they're used in kdc.conf, *not* the ones used by kadmin for addprinc/modprinc. If the restriction is not parsed properly, ACL entry is discarded completely.
 
Thanks to Greg Hudson for looking into these issues!

jd



-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2393 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20150317/ae65163d/attachment.bin


More information about the Kerberos mailing list