overhaul the acl module in the server

[kcr@…]

It's got a little bit too much krb4 on the brain.

[jhutz@…]

ACL matching strategy:

• Split into principal and realm at the first unescaped at-sign
• Match principal and realm separately using fnmatch(3)
• Short-circuit a pattern of '*' for speed
• Special case: principal pattern '*.*' matches anything

Note that ACL entries of the form foo.*@REALM or *.bar@REALM will require conversion. On the other hand, they already don't do what was intended, so this doesn't seem like a major problem.

Note: The closest thing we have to a "standard" string representation of a Kerberos 5 principal name is the format defined in  RFC1964 section 2.1.1 for the Kerberos Principal GSS-API name form. This description, and the distinguished variant described in section 2.1.3, are referenced in other Kerberos-related specifications and are implemented in Kerberos libraries.

The RFC1964 language actually prohibits '/' and ':' in realm names, because it contemplates only domain-style realm names. In fact, these characters are permitted in Kerberos realm names and AFAIK everyone glosses over this constraint, except possibly in the Kerberos 5 GSS-API mechanism itself.