kadmin ignoring target column ?

Greg Hudson ghudson at mit.edu
Mon Jan 13 11:19:42 EST 2020


On 1/13/20 3:44 AM, Laura Smith wrote:
> Am aware of the list ordering requirement, and to that extent the ACL entry in question was quite deliberately placed at the top.

kadmind will continue on if the operation's target doesn't match the
entry's target.  So if you have a later entry for, say, "*/admin *",
then the line "saltstack/admin ADMCIL nfs/*" would serve to deny access
to nfs/* principals (because of the uppercase permission bits), but
would have no effect on other target principals, or on operations with
no target like list_principals.

The documentation could probably be clarified here; it talks about "the
first matching entry", but doesn't say what has to match.

> admcil nfs/@KRBTEST.COM, are you saying I should not be putting the wildcard asterisk after nfs/ ?

The wildcard asterix was there in the mail I sent out (I checked my
outgoing mail), but was apparently mangled by a piece of email software.


More information about the Kerberos mailing list