(Final?) krb5.Conf Lexer/Parser Proposal

Theodore Ts'o tytso at MIT.EDU
Mon Jan 9 09:10:25 EST 2006

On Sat, Jan 07, 2006 at 09:57:34PM -0500, Jeffrey Altman wrote:
> The discussion as it has progressed makes the assumption that a "profile
> editor" is one that displays the entire profile to the end user.  This
> is certainly not how the profile data is modified in the existing tools
> such as the KFW 2.6 Leash32.exe.  In these tools, a subset of the
> profile data is displayed to the user perhaps in a combo box or an
> edit field.
> When there are multiple configuration files chained there is no
> expectation that the user is allowed to edit any of the files other than
> the first one.

Yes, but you still don't and can't know how to effect certain changes,
because you still don't know from which file various relations or
sections might come from.  For example, if you want to delete a kdc,
and it is in the first profile file, then it's easy --- you just
delete the relation.  But if it isn't, you have to replicate the realm
information, slap the finalizer on it, and then remove the first KDC
--- but there's no way to know that using the current API.

> Think of the behavior that both Danilo and I described earlier in the
> thread when the Windows registry is being used.   The combination of
> user hive, local machine hive, and executable resource is equivalent
> to three profile files.  When the user wants to make a change to a
> value the only place where changes are ever made is to the user hive.
> It doesn't matter whether the modification is an addition, a change
> or a deletion.  All changes are written to the one location the user
> is expected to have write permission to.
> When there are multiple profiles in use I believe that normal end
> users expect that they only location they are going to be able to
> make changes to is a configuration file located in their home directory
> and that this file is going to be the first file listed in the profile
> chain.

If you're the system administrator, you would also expect you could
make changes to the local machine hive, yes?  And yet the current
profile API would have no way of doing that.....

							- Ted

More information about the krbdev mailing list