krb5 commit: Remove redundant domain_realm mappings

Benjamin Kaduk kaduk at MIT.EDU
Mon Aug 12 15:34:52 EDT 2013 

https://github.com/krb5/krb5/commit/8f5ce824012f2caab6770df464f096c38dc4cb2e
commit 8f5ce824012f2caab6770df464f096c38dc4cb2e
Author: Ben Kaduk <kaduk at mit.edu>
Date:   Mon Aug 12 13:47:42 2013 -0400

    Remove redundant domain_realm mappings
    
    This fixes a long-standing documentation bug where we claimed that
    a domain_realm mapping for a host name would not affect entries
    under that domain name.  The code has always had the behavior where
    a host name mapping implies the corresponding domain name mapping,
    since the 1.0 release.
    
    While here, replace media-lab with csail in example files, as the
    media lab realm is no longer in use.  Also strip port 88 from KDC
    specifications, and drop the harmful default_{tgs,tkt}_enctypes
    lines from src/util/profile/krb5.conf.
    
    Further cleanup on these files to remove defunct realms may be in order.
    
    ticket: 7690 (new)
    tags: pullup
    target_version: 1.11.4

 doc/admin/conf_files/krb5_conf.rst        |   18 +++++++++++-------
 src/config-files/krb5.conf                |    4 +---
 src/util/profile/krb5.conf                |   19 +++++++------------
 src/windows/installer/wix/athena/krb5.ini |    3 ---
 4 files changed, 19 insertions(+), 25 deletions(-)

diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst
index 699628f..4063027 100644
--- a/doc/admin/conf_files/krb5_conf.rst
+++ b/doc/admin/conf_files/krb5_conf.rst
@@ -467,7 +467,9 @@ The [domain_realm] section provides a translation from a domain name
 or hostname to a Kerberos realm name.  The tag name can be a host name
 or domain name, where domain names are indicated by a prefix of a
 period (``.``).  The value of the relation is the Kerberos realm name
-for that particular host or domain.  The Kerberos realm may be
+for that particular host or domain.  A host name relation implicitly
+provides the corresponding domain name relation, unless an explicit domain
+name relation is provided.  The Kerberos realm may be
 identified either in the realms_ section or using DNS SRV records.
 Host names and domain names should be in lower case.  For example:
 
@@ -475,14 +477,16 @@ Host names and domain names should be in lower case.  For example:
 
     [domain_realm]
         crash.mit.edu = TEST.ATHENA.MIT.EDU
-        .mit.edu = ATHENA.MIT.EDU
+	.dev.mit.edu = TEST.ATHENA.MIT.EDU
         mit.edu = ATHENA.MIT.EDU
 
-maps the host with the exact name ``crash.mit.edu`` into the
-TEST.ATHENA.MIT.EDU realm.  The period prefix in ``.mit.edu`` denotes
-that all systems in the ``mit.edu`` domain belong to
-``ATHENA.MIT.EDU`` realm.  The third entry maps the host ``mit.edu``
-itself to the ``ATHENA.MIT.EDU`` realm.
+maps the host with the name ``crash.mit.edu`` into the
+``TEST.ATHENA.MIT.EDU`` realm.  The second entry maps all hosts under the
+domain ``dev.mit.edu`` into the ``TEST.ATHENA.MIT.EDU`` realm, but not
+the host with the name ``dev.mit.edu``.  That host is matched
+by the third entry, which maps the host ``mit.edu`` and all hosts
+under the domain ``mit.edu`` that do not match a preceding rule
+into the realm ``ATHENA.MIT.EDU``.
 
 If no translation entry applies to a hostname used for a service
 principal for a service ticket request, the library will try to get a
diff --git a/src/config-files/krb5.conf b/src/config-files/krb5.conf
index 210348f..62fbbd6 100644
--- a/src/config-files/krb5.conf
+++ b/src/config-files/krb5.conf
@@ -16,10 +16,8 @@
 	}
 
 [domain_realm]
-	.mit.edu = ATHENA.MIT.EDU
 	mit.edu = ATHENA.MIT.EDU
-	.media.mit.edu = MEDIA-LAB.MIT.EDU
-	media.mit.edu = MEDIA-LAB.MIT.EDU
+	csail.mit.edu = CSAIL.MIT.EDU
 	.ucsc.edu = CATS.UCSC.EDU
 
 [logging]
diff --git a/src/util/profile/krb5.conf b/src/util/profile/krb5.conf
index 73f58b9..aefe4ab 100644
--- a/src/util/profile/krb5.conf
+++ b/src/util/profile/krb5.conf
@@ -1,18 +1,15 @@
 [libdefaults]
 	default_realm = ATHENA.MIT.EDU 
-	default_tgs_enctypes = des-cbc-crc
-	default_tkt_enctypes = des-cbc-crc
-	default_keytab_name = FILE:/etc/krb5.keytab
 	kdc_timesync = 1
 	ccache_type = 4
 
 [realms] 
 	ATHENA.MIT.EDU = { 
 #		kdc = kerberos-2000.mit.edu
-		kdc = kerberos.mit.edu:88
-		kdc = kerberos-1.mit.edu:88
-		kdc = kerberos-2.mit.edu:88
-		kdc = kerberos-3.mit.edu:88
+		kdc = kerberos.mit.edu
+		kdc = kerberos-1.mit.edu
+		kdc = kerberos-2.mit.edu
+		kdc = kerberos-3.mit.edu
 		admin_server = kerberos.mit.edu
 		default_domain = mit.edu
 	} 
@@ -26,8 +23,8 @@
 		admin_server = casio.mit.edu
 	}
 	MOOF.MIT.EDU = {
-		kdc = three-headed-dogcow.mit.edu:88
-		kdc = three-headed-dogcow-1.mit.edu:88
+		kdc = three-headed-dogcow.mit.edu
+		kdc = three-headed-dogcow-1.mit.edu
 		admin_server = three-headed-dogcow.mit.edu
 	}
 	CYGNUS.COM = {
@@ -45,10 +42,8 @@
 	}
 
 [domain_realm]
-	.mit.edu = ATHENA.MIT.EDU
 	mit.edu = ATHENA.MIT.EDU
-	.media.mit.edu = MEDIA-LAB.MIT.EDU
-	media.mit.edu = MEDIA-LAB.MIT.EDU
+	csail.mit.edu = CSAIL.MIT.EDU
 
 [login]
 	krb4_convert = true
diff --git a/src/windows/installer/wix/athena/krb5.ini b/src/windows/installer/wix/athena/krb5.ini
index 169f8b1..49b10fd 100644
--- a/src/windows/installer/wix/athena/krb5.ini
+++ b/src/windows/installer/wix/athena/krb5.ini
@@ -3,9 +3,6 @@
 	allow_weak_crypto = true
 
 [domain_realm]
-	.mit.edu = ATHENA.MIT.EDU
 	mit.edu = ATHENA.MIT.EDU
-	.win.mit.edu = WIN.MIT.EDU
 	win.mit.edu = WIN.MIT.EDU
-	.csail.mit.edu = CSAIL.MIT.EDU
 	csail.mit.edu = CSAIL.MIT.EDU

More information about the cvs-krb5 mailing list