krb5 commit [krb5-1.12]: Mention k5login_authoritative in k5login docs
Tom Yu
tlyu at MIT.EDU
Thu Jun 26 16:53:41 EDT 2014
https://github.com/krb5/krb5/commit/b755149d6e220aabdc1b862746082505ad6c982d
commit b755149d6e220aabdc1b862746082505ad6c982d
Author: Ben Kaduk <kaduk at mit.edu>
Date: Thu Mar 13 15:11:49 2014 -0400
Mention k5login_authoritative in k5login docs
In particular, it is set by default. This can lead to confusing
behavior wherein adding a k5login file removes a user's remote
access.
Make an example more concrete to account for this case.
(cherry picked from commit 8cdc21ef051f43ea8dcabf42540d5cff13b5adeb)
ticket: 7876
version_fixed: 1.12.2
status: resolved
doc/user/user_config/k5login.rst | 9 +++++++--
1 files changed, 7 insertions(+), 2 deletions(-)
diff --git a/doc/user/user_config/k5login.rst b/doc/user/user_config/k5login.rst
index 00f5a5a..90e4865 100644
--- a/doc/user/user_config/k5login.rst
+++ b/doc/user/user_config/k5login.rst
@@ -18,7 +18,7 @@ EXAMPLES
--------
Suppose the user ``alice`` had a .k5login file in her home directory
-containing the following line:
+containing just the following line:
::
@@ -26,7 +26,12 @@ containing the following line:
This would allow ``bob`` to use Kerberos network applications, such as
ssh(1), to access ``alice``'s account, using ``bob``'s Kerberos
-tickets.
+tickets. In a default configuration (with **k5login_authoritative** set
+to true in :ref:`krb5.conf(5)`), this .k5login file would not let
+``alice`` use those network applications to access her account, since
+she is not listed! With no .k5login file, or with **k5login_authoritative**
+set to false, a default rule would permit the principal ``alice`` in the
+machine's default realm to access the ``alice`` account.
Let us further suppose that ``alice`` is a system administrator.
Alice and the other system administrators would have their principals
More information about the cvs-krb5
mailing list