back-referenced wildcards in kadm5.acl

John Devitofranceschi jdvf at
Tue Mar 17 07:11:50 EDT 2015

> On Mar 10, 2015, at 5:47 PM, John Devitofranceschi <jdvf at> wrote:
> ...
> In my case, the first wildcard is the second component, so I've just realized that my acl line *should* have read:
> host/*@MYREALM.COM x */*2 at MYREALM.COM
> which works as expected. In the previous version of the line, *1 was just matching the string "host", which does no one any good at all.

Okay, just ignore all that...

It turns out there's an issue with how kadmind deals with back-referenced wildcards and the problems I've been experiencing are the result of this flaw. See:

Once the fix described there is applied, things work as documented. 

Also, check out, which describes a problem with how acl entry restrictions are documented. You should use the principal flag syntax described for default_principal_flags as they're used in kdc.conf, *not* the ones used by kadmin for addprinc/modprinc. If the restriction is not parsed properly, ACL entry is discarded completely.
Thanks to Greg Hudson for looking into these issues!


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2393 bytes
Desc: not available
Url :

More information about the Kerberos mailing list