slightly expanded wildcard support for kadm5.acl

Mike Dopheide dopheide at
Fri Mar 30 17:10:34 EDT 2007

Attached is a patch to add wildcard support at the beginning and end of
kadm5.acl components.  I'd love to see this or something like it get
added to the standard codebase.  We haven't used this in the field yet,
I wanted to get people's opinions first.  I may not have considered all
of the implications (please let me know if I'm missing something bad).

We've run into a couple situations here where it would be really handy
to have this.

Example 1:
Temporary guest accounts on a system that doesn't support instances.
This resulted in something similar to guest[001-100] prinicpals and a
hundred kadm5.acl entries so the event coordinator could reset
passwords.  This is much more concise:

guest/admin at REALM.COM	cmi	guest*@REALM.COM

Example 2:
Multiple site admins using a central Kerberos realm.  In this case you
can give each site admin control to create/edit host keys in their own

site1/admin at REALM.COM   *	host/* at REALM.COM
site2/admin at REALM.COM   *	host/* at REALM.COM


PS.  During my testing I noticed that kadmind segfaults if you forget to
add the ACL permissions to a line in kadm5.acl.  :)

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: kadm5_acl.patch

More information about the krbdev mailing list