[39161] in Kerberos
Re: Using a stub krb5.conf with "include"
daemon@ATHENA.MIT.EDU (Greg Hudson)
Mon Dec 12 15:30:18 2022
Message-ID: <9722a777-4a57-b242-0994-6eaa589fa1e6@mit.edu>
Date: Mon, 12 Dec 2022 15:24:54 -0500
MIME-Version: 1.0
Content-Language: en-US
To: John Devitofranceschi <foonon@gmail.com>, Kerberos@mit.edu
From: Greg Hudson <ghudson@mit.edu>
In-Reply-To: <7A33183F-5391-4ADC-BDE3-7CC3C1EB7F91@gmail.com>
Content-Type: text/plain; charset="utf-8"; Format="flowed"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
On 12/12/22 14:04, John Devitofranceschi wrote:
> % cat mykrb5.conf
> [libdefaults]
> default_ccache_name = FILE:/my_ccache_location/krbcc_%{uid}
>
> include /etc/krb5.conf
> I cannot find a description of the behaviour of the ‘include’ directive with respect to this kind of thing.
https://web.mit.edu/kerberos/krb5-latest/doc/admin/conf_files/krb5_conf.html#structure
is the documentation we have on the include directive. Your example
should work.
> If the system krb5.conf defines default_ccache_name, will my setting take precedence for my application when I set KRB5_CONFIG=/my_config_location/mykrb5.conf in its environment?
In the profile model, a relation can have one or more values, with the
order of values determined by the order of appearance. Some variables
have a defined meaning for multiple values (like "kdc" in a realm
section), but most variables, including default_ccache_name, only have
meaning for a single value.
Unfortunately, different parts of the code are not consistent in how
they handle multiple values for a single-value variable. For variables
handled through libkrb5, like default_ccache_name, the first value is
used. So in your example, your default_ccache_name setting would take
precedence over one defined in the system krb5.conf, because it was read
first.
Variables handled through libkadm5 instead use the last value. The
ancient history here is that the kadmin system was written by a
different organization than the one that wrote the rest of krb5.
Changing libkadm5 to be consistent with libkrb5 would have the potential
to break configurations during upgrades, though it might be worth doing
anyway.
The profile library has the concept of marking a section or subsection
as "final", preventing further amendments to that section. But that
concept does not apply to individual relations (although it was
erroneously documented as applying to them prior to 1.17.1).
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
