Lines with "=" in krb5.conf
Weijun Wang
weijun.wang at oracle.com
Wed Jan 16 05:18:38 EST 2019
> On Jan 16, 2019, at 4:43 PM, Alexandr Nedvedicky <alexandr.nedvedicky at oracle.com> wrote:
>
> Hello,
>
> On Wed, Jan 16, 2019 at 12:28:54AM -0500, Greg Hudson wrote:
>> On 1/15/19 9:12 AM, Weijun Wang wrote:
>>> [realms]
>>> ATHENA.MIT.EDU = {
>>> auth_to_local = {
>>> RULE:[2:$1](johndoe)s/^.*$/guest/
>>> RULE:[2:$1;$2](^.*;admin$)s/;admin$//
>>> RULE:[2:$2](^.*;root)s/^.*$/root/
>>> DEFAULT
>>> }
>>> }
>>>
>>> Is this legal? I tried it with the latest MIT krb5 and saw a "krb5kdc: Improper format of Kerberos configuration file while initializing krb5" error.
>>>
>>> Or does any other krb5 vendor support this format?
>>
>> I don't think so. MIT krb5 only expects relations (a = b) within a
>> braced subsection, and my read of the Heimdal code is that it does as well.
>
> I believe the snippet pasted by Weijun comes from here:
>
> https://web.mit.edu/kerberos/krb5-latest/doc/admin/conf_files/krb5_conf.html
> [ search for auth_to_local ]
On my machine the krb5_conf.html file for krb5-latest and krb5-1.17 are exactly the same.
--Max
>
> however for 1.17 version the same paragraph uses format as follows
>
> [realms]
> ATHENA.MIT.EDU = {
> auth_to_local = RULE:[2:$1](johndoe)s/^.*$/guest/
> auth_to_local = RULE:[2:$1;$2](^.*;admin$)s/;admin$//
> auth_to_local = RULE:[2:$2](^.*;root)s/^.*$/root/
> auth_to_local = DEFAULT
> }
>
> So it looks like the krb5-latest doc is kind of confusing.
>
> regards
> sasha
More information about the krbdev
mailing list