[19872] in Kerberos_V5_Development

home help back first fref pref prev next nref lref last post

Re: Lines with "=" in krb5.conf

daemon@ATHENA.MIT.EDU (Alexandr Nedvedicky)
Wed Jan 16 07:01:47 2019

Date: Wed, 16 Jan 2019 12:55:13 +0100
From: Alexandr Nedvedicky <alexandr.nedvedicky@oracle.com>
To: Greg Hudson <ghudson@mit.edu>
Message-ID: <20190116115512.GI24472@tbd.cz.oracle.com>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <20190116084338.GC24472@tbd.cz.oracle.com>
Cc: "krbdev@mit.edu" <krbdev@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu

Hello,

ignore my earlier email. I should ask optician for glasses.
1.17 and latest docs are consistent in description of auth_to_local.
entirely my fault.

regards
sasha

On Wed, Jan 16, 2019 at 09:43:38AM +0100, Alexandr Nedvedicky wrote:
> Hello,
> 
> On Wed, Jan 16, 2019 at 12:28:54AM -0500, Greg Hudson wrote:
> > On 1/15/19 9:12 AM, Weijun Wang wrote:
> > >          [realms] 
> > >               ATHENA.MIT.EDU = { 
> > >                   auth_to_local = { 
> > >                       RULE:[2:$1](johndoe)s/^.*$/guest/ 
> > >                       RULE:[2:$1;$2](^.*;admin$)s/;admin$// 
> > >                       RULE:[2:$2](^.*;root)s/^.*$/root/ 
> > >                       DEFAULT 
> > >                       } 
> > >                   }
> > > 
> > > Is this legal? I tried it with the latest MIT krb5 and saw a "krb5kdc: Improper format of Kerberos configuration file while initializing krb5" error.
> > > 
> > > Or does any other krb5 vendor support this format?
> > 
> > I don't think so.  MIT krb5 only expects relations (a = b) within a
> > braced subsection, and my read of the Heimdal code is that it does as well.
> 
>     I believe the snippet pasted by Weijun comes from here:
> 
> 	https://web.mit.edu/kerberos/krb5-latest/doc/admin/conf_files/krb5_conf.html
> 	[ search for auth_to_local ]
> 
>     however for 1.17 version the same paragraph uses format as follows
> 
> 	[realms]
> 	    ATHENA.MIT.EDU = {
> 		auth_to_local = RULE:[2:$1](johndoe)s/^.*$/guest/
> 		auth_to_local = RULE:[2:$1;$2](^.*;admin$)s/;admin$//
> 		auth_to_local = RULE:[2:$2](^.*;root)s/^.*$/root/
> 		auth_to_local = DEFAULT
> 	    }
> 
>     So it looks like the krb5-latest doc is kind of confusing.

sorry I oversought 
_______________________________________________
krbdev mailing list             krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
home help back first fref pref prev next nref lref last post