[19871] in Kerberos_V5_Development

home help back first fref pref prev next nref lref last post

Re: Lines with "=" in krb5.conf

daemon@ATHENA.MIT.EDU (Weijun Wang)
Wed Jan 16 05:18:56 2019

Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
From: Weijun Wang <weijun.wang@oracle.com>
In-Reply-To: <20190116084338.GC24472@tbd.cz.oracle.com>
Date: Wed, 16 Jan 2019 18:18:38 +0800
Message-Id: <EF1AF223-D13E-4317-BD31-995FFAC5D5C5@oracle.com>
To: Alexandr Nedvedicky <alexandr.nedvedicky@oracle.com>
Cc: "krbdev@mit.edu" <krbdev@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu



> On Jan 16, 2019, at 4:43 PM, Alexandr Nedvedicky <alexandr.nedvedicky@oracle.com> wrote:
> 
> Hello,
> 
> On Wed, Jan 16, 2019 at 12:28:54AM -0500, Greg Hudson wrote:
>> On 1/15/19 9:12 AM, Weijun Wang wrote:
>>>       [realms] 
>>>            ATHENA.MIT.EDU = { 
>>>                auth_to_local = { 
>>>                    RULE:[2:$1](johndoe)s/^.*$/guest/ 
>>>                    RULE:[2:$1;$2](^.*;admin$)s/;admin$// 
>>>                    RULE:[2:$2](^.*;root)s/^.*$/root/ 
>>>                    DEFAULT 
>>>                    } 
>>>                }
>>> 
>>> Is this legal? I tried it with the latest MIT krb5 and saw a "krb5kdc: Improper format of Kerberos configuration file while initializing krb5" error.
>>> 
>>> Or does any other krb5 vendor support this format?
>> 
>> I don't think so.  MIT krb5 only expects relations (a = b) within a
>> braced subsection, and my read of the Heimdal code is that it does as well.
> 
>  I believe the snippet pasted by Weijun comes from here:
> 
> 	https://web.mit.edu/kerberos/krb5-latest/doc/admin/conf_files/krb5_conf.html
> 	[ search for auth_to_local ]

On my machine the krb5_conf.html file for krb5-latest and krb5-1.17 are exactly the same.

--Max

> 
>  however for 1.17 version the same paragraph uses format as follows
> 
> 	[realms]
> 	    ATHENA.MIT.EDU = {
> 		auth_to_local = RULE:[2:$1](johndoe)s/^.*$/guest/
> 		auth_to_local = RULE:[2:$1;$2](^.*;admin$)s/;admin$//
> 		auth_to_local = RULE:[2:$2](^.*;root)s/^.*$/root/
> 		auth_to_local = DEFAULT
> 	    }
> 
>  So it looks like the krb5-latest doc is kind of confusing.
> 
> regards
> sasha


_______________________________________________
krbdev mailing list             krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
home help back first fref pref prev next nref lref last post