[krbdev.mit.edu #8155] kadm5.acl flag restrictions don't use documented syntax
Greg Hudson via RT
rt-comment at krbdev.mit.edu
Thu Mar 12 23:39:25 EDT 2015
If a kadm5.acl entry contains restrictions, we attempt to parse each
restriction field using krb5_string_to_flags(), which uses the syntax
documented for default_principal_flags in kdc_conf.rst.
However, kadm5_acl.rst claims that the permissible flags are the ones
from kadmin addprinc/modprinc. Those commands use different flag
names.
Compounding the issue, if we fail to parse the restriction string, we
silently discard the ACL entry--there is a DPRINT, but that does
nothing in a default build. We also do that if we fail to parse the
source or target principal name.
More information about the krb5-bugs
mailing list