An ACL like:
principal * *@REALM
does seem to prevent that principal from actions on host/* principals.
The kadmind man page says:
operation-target
[Optional] may specify a partially or fully quali�
fied Kerberos version 5 principal name. Each com�
ponent of the name may be wildcarded using the
asterisk ( * ) character.
I take the "Each component of the name" line to mean that *@REALM is not
the same as */*@REALM, and that seems to be the case (with MIT 1.2.2 at
least).
Jason
Marcio d'Avila Scheibler wrote:
>
> Back to ACL file, the only target (even
> with wildcards) that would work for username@REALM philosophy
> would be *@REALM, right ?? But this target would not
> restrict useradm@REALM actions over host/* principals.
