Lines with "=" in krb5.conf
Alexandr Nedvedicky
alexandr.nedvedicky at oracle.com
Wed Jan 16 06:55:13 EST 2019
Hello,
ignore my earlier email. I should ask optician for glasses.
1.17 and latest docs are consistent in description of auth_to_local.
entirely my fault.
regards
sasha
On Wed, Jan 16, 2019 at 09:43:38AM +0100, Alexandr Nedvedicky wrote:
> Hello,
>
> On Wed, Jan 16, 2019 at 12:28:54AM -0500, Greg Hudson wrote:
> > On 1/15/19 9:12 AM, Weijun Wang wrote:
> > > [realms]
> > > ATHENA.MIT.EDU = {
> > > auth_to_local = {
> > > RULE:[2:$1](johndoe)s/^.*$/guest/
> > > RULE:[2:$1;$2](^.*;admin$)s/;admin$//
> > > RULE:[2:$2](^.*;root)s/^.*$/root/
> > > DEFAULT
> > > }
> > > }
> > >
> > > Is this legal? I tried it with the latest MIT krb5 and saw a "krb5kdc: Improper format of Kerberos configuration file while initializing krb5" error.
> > >
> > > Or does any other krb5 vendor support this format?
> >
> > I don't think so. MIT krb5 only expects relations (a = b) within a
> > braced subsection, and my read of the Heimdal code is that it does as well.
>
> I believe the snippet pasted by Weijun comes from here:
>
> https://web.mit.edu/kerberos/krb5-latest/doc/admin/conf_files/krb5_conf.html
> [ search for auth_to_local ]
>
> however for 1.17 version the same paragraph uses format as follows
>
> [realms]
> ATHENA.MIT.EDU = {
> auth_to_local = RULE:[2:$1](johndoe)s/^.*$/guest/
> auth_to_local = RULE:[2:$1;$2](^.*;admin$)s/;admin$//
> auth_to_local = RULE:[2:$2](^.*;root)s/^.*$/root/
> auth_to_local = DEFAULT
> }
>
> So it looks like the krb5-latest doc is kind of confusing.
sorry I oversought
More information about the krbdev
mailing list