[39184] in Kerberos
Re: Using a stub krb5.conf with "include"
daemon@ATHENA.MIT.EDU (Nico Williams)
Fri Feb 24 14:43:07 2023
Date: Fri, 24 Feb 2023 13:38:03 -0600
From: Nico Williams <nico@cryptonector.com>
To: Ken Hornstein <kenh@cmf.nrl.navy.mil>
Cc: Kerberos@mit.edu
Message-ID: <Y/kSGxODk64xQXXC@gmail.com>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <202212122347.2BCNlpIN026623@hedwig.cmf.nrl.navy.mil>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Mon, Dec 12, 2022 at 06:47:50PM -0500, Ken Hornstein via Kerberos wrote:
> >The profile library has the concept of marking a section or subsection
> >as "final", preventing further amendments to that section. But that
> >concept does not apply to individual relations (although it was
> >erroneously documented as applying to them prior to 1.17.1).
>
> When I looked at the finalization support, I found that it had two
> unexpected features:
>
> 1) The finalization support only works across files; in other words, if
> you have KRB5_CONFIG=/etc/file1:/etc/file2, a finalized section in file1
> suppresses the same section in file2. But it doesn't work if it's all
> within file1.
>
> 2) An include statement in a krb5.conf file does NOT count as a new file for
> the purposes of finalization.
>
> If I am wrong about these things, I'd sure love a correction. Honestly,
> I can't see a reason why a finalized section in a file just doesn't
> suppress further sections, even within the same file.
Hmmm, this could be useful in Heimdal as well. We should at the very
least not trip up over the finalizer token.
Can we get the semantics nailed down?
Nico
--
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
