Using a stub krb5.conf with "include"
Nico Williams
nico at cryptonector.com
Fri Feb 24 14:38:03 EST 2023
On Mon, Dec 12, 2022 at 06:47:50PM -0500, Ken Hornstein via Kerberos wrote:
> >The profile library has the concept of marking a section or subsection
> >as "final", preventing further amendments to that section. But that
> >concept does not apply to individual relations (although it was
> >erroneously documented as applying to them prior to 1.17.1).
>
> When I looked at the finalization support, I found that it had two
> unexpected features:
>
> 1) The finalization support only works across files; in other words, if
> you have KRB5_CONFIG=/etc/file1:/etc/file2, a finalized section in file1
> suppresses the same section in file2. But it doesn't work if it's all
> within file1.
>
> 2) An include statement in a krb5.conf file does NOT count as a new file for
> the purposes of finalization.
>
> If I am wrong about these things, I'd sure love a correction. Honestly,
> I can't see a reason why a finalized section in a file just doesn't
> suppress further sections, even within the same file.
Hmmm, this could be useful in Heimdal as well. We should at the very
least not trip up over the finalizer token.
Can we get the semantics nailed down?
Nico
--
More information about the Kerberos
mailing list