kadmin ignoring target column ?

Laura Smith n5d9xq3ti233xiyif2vp at protonmail.ch
Mon Jan 13 11:54:13 EST 2020


‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Monday, January 13, 2020 4:19 PM, Greg Hudson <ghudson at mit.edu> wrote:

> On 1/13/20 3:44 AM, Laura Smith wrote:
>
> > Am aware of the list ordering requirement, and to that extent the ACL entry in question was quite deliberately placed at the top.
>
> kadmind will continue on if the operation's target doesn't match the
> entry's target. So if you have a later entry for, say, "/admin ",
> then the line "saltstack/admin ADMCIL nfs/" would serve to deny access
> to nfs/ principals (because of the uppercase permission bits), butwould have no effect on other target principals, or on operations with
> no target like list_principals.
>
> The documentation could probably be clarified here; it talks about "the
> first matching entry", but doesn't say what has to match.

Aah, so are we saying I should try something like :
saltstack/admin admcil nfs/*
saltstack/admin ADMCIL *

Bescially my end goal is to allow saltstack/admin to do what it likes (within reason) for nfs/* but keep it well away from anything more "important" (such as */admin).


>
> > admcil nfs/@KRBTEST.COM, are you saying I should not be putting the wildcard asterisk after nfs/ ?
>
> The wildcard asterix was there in the mail I sent out (I checked my
> outgoing mail), but was apparently mangled by a piece of email software.

Yes, you're right. Have read your original and indeed asterisk is there.




More information about the Kerberos mailing list