> On Mar 7, 2015, at 3:17 PM, John Devitofranceschi <j...@optonline.net> wrote:
>
>
>> On Jul 17, 2014, at 7:45 PM, Kenneth MacDonald <kenneth.macdon...@ed.ac.uk>
>> wrote:
>>
>> Quoting John Devitofranceschi <j...@optonline.net> on Thu, 17 Jul 2014
>> 15:51:06 -0400:
>>
>>>
>>>> On Jul 17, 2014, at 12:37, Greg Hudson <ghud...@mit.edu> wrote:
>>>>
>>>>> On 07/16/2014 06:34 PM, John Devitofranceschi wrote:
>>>>> host/*@MYREALM.COM x */*1...@myrealm.com
>>>>
>>>> This works for me in 1.11, 1.12, and the master branch. So, your
>>>> expectation isn't unreasonable, but I'm not sure why it doesn't work for
>>>> you.
>>>>
>>>> Note that kadmind will not reread its ACL file until it is restarted.
>>>
>>> I can get it to work with other wild card use cases, like:
>>>
>>> *@MYREALM.COM cli *1/ad...@myrealm.com
>>>
>>> Just not the example I gave originally.
>>
>> This is because the wildcard matching only operates on whole
>> components, not substrings of them. There are various patches
>> floating around that extend this to regular expressions or substrings.
>> I have one, but I'm on holiday at the moment. I'll try to remember
>> to follow up when I get back.
>
> I just started looking into this again, this time with 1.13.1 and my results
> are the same as when I tried last year.
>
> Any patches or advice welcome!
>
> jd
I just realized that there was not much in the way of context from my original
message, so here is what I'm trying to do:
If I want to allow the host principal for a given system to manage other
hostname-based principals for the same host (to enable some kind of automation,
say), based on the documentation, I would expect that an entry in kadm5.acl
that looks like this:
host/*@MYREALM.COM x */*1...@myrealm.com
would permit:
host/system1.myrealm....@myrealm.com
to create:
nfs/system1.myrealm....@myrealm.com
or
HTTP/system1.myrealm....@myrealm.com
jd
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
