Using a stub krb5.conf with "include"

Greg Hudson ghudson at
Mon Dec 12 15:24:54 EST 2022

On 12/12/22 14:04, John Devitofranceschi wrote:
> % cat mykrb5.conf
> [libdefaults]
> default_ccache_name = FILE:/my_ccache_location/krbcc_%{uid}
> include /etc/krb5.conf

> I cannot find a description of the behaviour of the ‘include’ directive with respect to this kind of thing.

is the documentation we have on the include directive.  Your example 
should work.

> If the system krb5.conf defines default_ccache_name, will my setting take precedence for my application when I set  KRB5_CONFIG=/my_config_location/mykrb5.conf in its environment?

In the profile model, a relation can have one or more values, with the 
order of values determined by the order of appearance.  Some variables 
have a defined meaning for multiple values (like "kdc" in a realm 
section), but most variables, including default_ccache_name, only have 
meaning for a single value.

Unfortunately, different parts of the code are not consistent in how 
they handle multiple values for a single-value variable.  For variables 
handled through libkrb5, like default_ccache_name, the first value is 
used.  So in your example, your default_ccache_name setting would take 
precedence over one defined in the system krb5.conf, because it was read 

Variables handled through libkadm5 instead use the last value.  The 
ancient history here is that the kadmin system was written by a 
different organization than the one that wrote the rest of krb5. 
Changing libkadm5 to be consistent with libkrb5 would have the potential 
to break configurations during upgrades, though it might be worth doing 

The profile library has the concept of marking a section or subsection 
as "final", preventing further amendments to that section.  But that 
concept does not apply to individual relations (although it was 
erroneously documented as applying to them prior to 1.17.1).

More information about the Kerberos mailing list