Lines with "=" in krb5.conf
Alexandr Nedvedicky
alexandr.nedvedicky at oracle.com
Wed Jan 16 03:43:38 EST 2019
Hello,
On Wed, Jan 16, 2019 at 12:28:54AM -0500, Greg Hudson wrote:
> On 1/15/19 9:12 AM, Weijun Wang wrote:
> > [realms]
> > ATHENA.MIT.EDU = {
> > auth_to_local = {
> > RULE:[2:$1](johndoe)s/^.*$/guest/
> > RULE:[2:$1;$2](^.*;admin$)s/;admin$//
> > RULE:[2:$2](^.*;root)s/^.*$/root/
> > DEFAULT
> > }
> > }
> >
> > Is this legal? I tried it with the latest MIT krb5 and saw a "krb5kdc: Improper format of Kerberos configuration file while initializing krb5" error.
> >
> > Or does any other krb5 vendor support this format?
>
> I don't think so. MIT krb5 only expects relations (a = b) within a
> braced subsection, and my read of the Heimdal code is that it does as well.
I believe the snippet pasted by Weijun comes from here:
https://web.mit.edu/kerberos/krb5-latest/doc/admin/conf_files/krb5_conf.html
[ search for auth_to_local ]
however for 1.17 version the same paragraph uses format as follows
[realms]
ATHENA.MIT.EDU = {
auth_to_local = RULE:[2:$1](johndoe)s/^.*$/guest/
auth_to_local = RULE:[2:$1;$2](^.*;admin$)s/;admin$//
auth_to_local = RULE:[2:$2](^.*;root)s/^.*$/root/
auth_to_local = DEFAULT
}
So it looks like the krb5-latest doc is kind of confusing.
regards
sasha
More information about the krbdev
mailing list