Update the kadm5.acl example Make the example and documentation a closer match to reality. In particular, the list permission is all-or-nothing; it is not restricted in scope by the target_principal field. Change the table entry to try and indicate this fact, and do not put list permissions on any example line that is scoped by a target_principal pattern. While here, remove the nonsensical granting of global inquire permissions to */* (inaccurately described as "all principals"), and the granting of privileges to foreign-realm principals. It is not possible to obtain an initial ticket (as required by the kadmin service) for a principal in a different realm, and the current kadmind implementation can serve only a single realm at a time -- this permission literally has no effect. Replace it with a (presumably automated) "Service Management System" example, where it might make sense to limit the principals which are automatically created. https://github.com/krb5/krb5/commit/70b2ba4852913ceb2bdc9a57edd487da8230f813 Author: Ben Kaduk Commit: 70b2ba4852913ceb2bdc9a57edd487da8230f813 Branch: master doc/admin/conf_files/kadm5_acl.rst | 34 ++++++++++++++++++---------------- 1 files changed, 18 insertions(+), 16 deletions(-)