Forum: >>> Magnum BBS <<<

Using a stub krb5.conf with "include"

From John Devitofranceschi@21:1/5 to All on Mon Dec 12 14:04:40 2022

Greetings!

I would like to create an application specific krb5.conf where I can override some system-wide settings while still taking advantage of the rest.

As an example would something like this work if I wanted to define my own ccache location and name format?

% cat mykrb5.conf
[libdefaults]
default_ccache_name = FILE:/my_ccache_location/krbcc_%{uid}

include /etc/krb5.conf
EOF

I cannot find a description of the behaviour of the ‘include’ directive with respect to this kind of thing.

If the system krb5.conf defines default_ccache_name, will my setting take precedence for my application when I set KRB5_CONFIG=/my_config_location/mykrb5.conf in its environment?

Or, would i be better off using KRB5_CONFIG=/my_config_location/mykrb5.conf:/etc/krb5.conf and avoiding the use of the include directive?

Thanks in advance to any pointers, advice, or corrections,

jd

MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCCDP4w ggY9MIIEJaADAgECAgMU4igwDQYJKoZIhvcNAQENBQAweTEQMA4GA1UEChMHUm9vdCBDQTEeMBwG A1UECxMVaHR0cDovL3d3dy5jYWNlcnQub3JnMSIwIAYDVQQDExlDQSBDZXJ0IFNpZ25pbmcgQXV0 aG9yaXR5MSEwHwYJKoZIhvcNAQkBFhJzdXBwb3J0QGNhY2VydC5vcmcwHhcNMjEwNDE5MTIxODMw WhcNMzEwNDE3MTIxODMwWjBUMRQwEgYDVQQKEwtDQWNlcnQgSW5jLjEeMBwGA1UECxMVaHR0cDov L3d3dy5DQWNlcnQub3JnMRwwGgYDVQQDExNDQWNlcnQgQ2xhc3MgMyBSb290MIICIjANBgkqhkiG 9w0BAQEFAAOCAg8AMIICCgKCAgEAq0k1EUh80iZ+U5TPQ6ndKNdCKovzh3gZWHwPntqJfeH763KQ DXShlmSrn6AkmXPa4lV2xxd79QSsRrjDvn9kjRBsJPNhnMDykPpR5vVpAWPDD1biSkLP4kSMJSio xXkJfUa5ivPp8zQpCEXkHJ/LlAQcgagUs5hlxEPsToKNCdG9qluNktDs3pDFfwrC4+vmMVpedD6X M1nowwM9YDO/99FvR8TN7mKDUm4uCJqk2RUYkaaFkkewrkjrbbch7IUaaHI1q//wEF3A9JSnatU7 kn5MkAV+k8Esi6SOYnQVcW4LcQPqrxU4mtTSBXJvjPkr61pyJfk5RuNyGz4Ew2QnIhAqik9YpwOt vrQuE+1dqkjX1X3UKntc+kYEUOTMDkJbjO3b8s/8lpPg2xE2VGI0OI8MYJs7l1Y4rfPSW4ugW+pO lrh819WghnBA05Ept6I8rfWMu88akorkNHvA2Gxf6QrCw6cgmlrfLF1SXLpH1ZvvJChwOCAv1X8p wLJBA2iSzOCczJdLRe86EAqrcDqYlXCtNbHqhSukHIAhMamuYHqAJkgAuAHAk2NVIpE8Vuev2zol 848xVOomi4FZ+aHRUxHFe50D9nQR4G2xLD8shpGZcZqmd4s0YNEUtCysna+MENOfxGr4bxP8c1n3 ZkJ0Horj+NzSb5icy0eYlUAF++kCAwEAAaOB8jCB7zAPBgNVHRMBAf8EBTADAQH/MGEGCCsGAQUF BwEBBFUwUzAjBggrBgEFBQcwAYYXaHR0cDovL29jc3AuQ0FjZXJ0Lm9yZy8wLAYIKwYBBQUHMAKG IGh0dHA6Ly93d3cuQ0FjZXJ0Lm9yZy9jbGFzczMuY3J0MEUGA1UdIAQ+MDwwOgYLKwYBBAGBkEoC AwEwKzApBggrBgEFBQcCARYdaHR0cDovL3d3dy5DQWNlcnQub3JnL2Nwcy5waHAwMgYDVR0fBCsw KTAnoCWgI4YhaHR0cHM6Ly93d3cuY2FjZXJ0Lm9yZy9jbGFzczMuY3JsMA0GCSqGSIb3DQEBDQUA A4ICAQDGHq13XLQom9HIjUQSwL12dgSDIQf4EYJ/a8GVQsA4EbUlcI2LDMHVbP0cGgN8i/gGMaWd 3kEp1IubhNc9wTeGcaMfW2EpHl13fbvwrbkVGRMU5jWA/6YZtDeFlEHoiMNf4LIGpLv4QKkdOazt 6j+YBE35jPlHeXNS9ezfNJf7Pnfg3NGDiLqIc0dapqQVxA1wDQ+eSxMHfu8YPvmlAap5KbHnUvpT Osimf7bviaGxoU0vzmOFf6Uq6TvUwaPPChOFu5nXnGaQhOdm1FCzoeEtIiolaMMgsivEupgd6Erv XFjCtE2EVvdOuxZoQmySuG94zQ6z+++gs2SH8veIRDn8ueYswJgk1EAsXsjuCx24Ak0muAoYxi8e S3Vujy4hc7zCA1XuqhTgmhoHUwvfRBSoZwWvRMjToUV2ArZ/DLmG6U/GbrC7FbS/6IC1djH+ZGTB ClhtxVC2sgO/HUJPWTnRxDGL6MgqORwVYfDeQGgOcKizT+6R6A9PtpCeTYBsvhzucKS4BwQrDUEC VIROR+qLlu12WGHnwyF7Bm/UtwvnNDKDzDWm5yVPfBdC/LxXA8afQn+YYPiAstn2sZwcNQQKiTEW haT67kwJxWqYZuzIbirmy5LcI2yWwdRF8zxtArigu8dHwsIcQExFx0UGfztxK84rp4HWR0YosDzK ZfFmnzCCBrkwggShoAMCAQICAwL2JjANBgkqhkiG9w0BAQ0FADBUMRQwEgYDVQQKEwtDQWNlcnQg SW5jLjEeMBwGA1UECxMVaHR0cDovL3d3dy5DQWNlcnQub3JnMRwwGgYDVQQDExNDQWNlcnQgQ2xh c3MgMyBSb290MB4XDTIyMDEwODIwMDE1NloXDTI0MDEwODIwMDE1NlowggETMR4wHAYDVQQDExVK b2huIERldml0b2ZyYW5jZXNjaGkxHzAdBgkqhkiG9w0BCQEWEGpkdmZAaG90bWFpbC5jb20xHzAd BgkqhkiG9w0BCQEWEGZvb25vbkBnbWFpbC5jb20xIDAeBgkqhkiG9w0BCQEWEWZvb25vbkBpY2xv dWQuY29tMTAwLgYJKoZIhvcNAQkBFiFqb2huLmRldml0b2ZyYW5jZXNjaGlAb3V0bG9vay5jb20x LjAsBgkqhkiG9w0BCQEWH2pvaG4uZGV2aXRvZnJhbmNlc2NoaUBnbWFpbC5jb20xKzApBgkqhkiG 9w0BCQEWHGpkZXZpdG9mcmFuY2VzY2hpQGljbG91ZC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IB DwAwggEKAoIBAQDOk3Sg39mhtwfIftLEopm/JJivrvgknFl5XEuMAIvxBDHP7+skVmFrkv1W1+Y8 uoHDdhgkt4/nQ70dqcfcMv1UjzCQtEz39JoVWOAwsLkfFLJ46J95wCmwc3oHV+yRJwkxKMn0y9tW qbkxetoSZcQD+eGNw2S5KD2oEl2YdoQruCqZTFNc0SYQs/ZQ3f+5uvTfUa7DJLy/eN5v4J5POyCE 9AVOlflmXroWpm2UINDg3f3g6IXrmhqSFMa42lFJ+5hpXhBWd6RI7B3tkjSA9SpA+zPN4cb1omPI iUqSM7L0hb+29TRgC0Tv0h7tRmhXwA/tDUVK1Pt9wgS+19N/DbqZAgMBAAGjggHRMIIBzTAMBgNV HRMBAf8EAjAAMFYGCWCGSAGG+EIBDQRJFkdUbyBnZXQgeW91ciBvd24gY2VydGlmaWNhdGUgZm9y IEZSRUUgaGVhZCBvdmVyIHRvIGh0dHA6Ly93d3cuQ0FjZXJ0Lm9yZzAOBgNVHQ8BAf8EBAMCA6gw QAYDVR0lBDkwNwYIKwYBBQUHAwQGCCsGAQUFBwMCBgorBgEEAYI3CgMEBgorBgEEAYI3CgMDBglg hkgBhvhCBAEwMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzABhhZodHRwOi8vb2NzcC5jYWNlcnQu b3JnMDgGA1UdHwQxMC8wLaAroCmGJ2h0dHA6Ly9jcmwuY2FjZXJ0Lm9yZy9jbGFzczMtcmV2b2tl LmNybDCBpAYDVR0RBIGcMIGZgRBqZHZmQGhvdG1haWwuY29tgRBmb29ub25AZ21haWwuY29tgRFm b29ub25AaWNsb3VkLmNvbYEham9obi5kZXZpdG9mcmFuY2VzY2hpQG91dGxvb2suY29tgR9qb2hu LmRldml0b2ZyYW5jZXNjaGlAZ21haWwuY29tgRxqZGV2aXRvZnJhbmNlc2NoaUBpY2xvdWQuY29t MA0GCSqGSIb3DQEBDQUAA4ICAQAzfrXKib/LhD8CUaKtIlasYRahBOD2K1iQncXLPB3SloIADwLN E/wAUGjGFgn4UdocYZ2UOdYils/POjZAasoIu6xcFKW9trMg4BvkZuZ46mOR2/ahic6Hl9oMlEZX YU44aFjvM0s1Ftp9RSS17IVuNnO31Kjy0npXFJbV8dMKsj/Y/IzST/OfksMi8HMol+sz1oo+9aOs FHm5eBu8AlVrrs97pV8JajPnKdp6VM3yyH3Zaw6H2UbEVJ3ti0Vn9MmqFafeOfBFLym6FHy3yb4Z g8+PRTY2K4LwaOSly5rciQLtRDdNa8fpLg6MwwjH9aoa21IMCWn6MCHX2+gub8M/xhTigKv2AVPd MoNO0jpEvuvTFz5DcMjzMJmQ1f71XKDbQaRTiACmW/5pJxLj6XSSfhOJNgPNxWBS6qSBWwZ7TXqH Sr21EILlMBt9OhapEUjC+I0iPMVsKYhLvrvyVK6ci//WLJJuT+cCp6Tdas38unWVRYwoIdM+5oY3 fpj0af7eHOygb89V+nBKFxVTyJtjwdstNVI6Gjs5aXvHgardTPPt7VTZ6LpHxtUADAvK4tF78C6D w1aR5jsE9Gq1IL3w8MhYPz0BqbayJ9xKy1ZiqYGdZvdzs20mJCb5X6UJV8uXa/aEIpSxnocXPJeX weSB43qOGOIHSfX4jd1zDa7mszGCAs0wggLJAgEBMFswVDEUMBIGA1UEChMLQ0FjZXJ0IEluYy4x HjAcBgNVBAsTFWh0dHA6Ly93d3cuQ0FjZXJ0Lm9yZzEcMBoGA1UEAxMTQ0FjZXJ0IENsYXNzIDMg Um9vdAIDAvYmMA0GCWCGSAFlAwQCAQUAoIIBQzAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwG CSqGSIb3DQEJBTEPFw0yMjEyMTIxOTA0NDBaMC8GCSqGSIb3DQEJBDEiBCCW4RUVrNhVQcDBskCX Rq/a2/QkPC6dfw3Xxd1P4P/SVTBqBgkrBgEEAYI3EAQxXTBbMFQxFDASBgNVBAoTC0NBY2VydCBJ bmMuMR4wHAYDVQQLExVodHRwOi8vd3d3LkNBY2VydC5vcmcxHDAaBgNVBAMTE0NBY2VydCBDbGFz cyAzIFJvb3QCAwL2JjBsBgsqhkiG9w0BCRACCzFdoFswVDEUMBIGA1UEChMLQ0FjZXJ0IEluYy4x HjAcBgNVBAsTFWh0dHA6Ly93d3cuQ0FjZXJ0Lm9yZzEcMBoGA1UEAxMTQ0FjZXJ0IENsYXNzIDMg Um9vdAIDAvYmMA0GCSqGSIb3DQEBCwUABIIBADVG49FjrlRdr5ozJ085RU5pGKDrt1veZ5TyG1I8 T+GRB6nn81QAtaUCUKK0xQsQ3jWTtOjEjWFnPHLG1vNEGft49bI/G27iGSjvPbsEMg0g1qMg8QQS XVPgXtk7/gdmRc7H3IPxEaA04JSE2jvstjEx2bO0mgM/IxABTw1X7wrHV4Feu+HSwBXFsKMiv9+Z KHxoMeBlV55yF16dAUYN2YBCfZL72IvG5l2SpxXQBOOa8NEUh6c0bRUQZy+jxTLPdT8xTu9B19of amLftC/OqZ2Oa768Pd6Epjektbwc8Xnozgq0CIGgYLUCWRAmXOqc0v6QHcmnOM1pO9fYDvXqnkMA AAAAAAA=

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

From Greg Hudson@21:1/5 to John Devitofranceschi on Mon Dec 12 15:24:54 2022

To: Kerberos@mit.edu

On 12/12/22 14:04, John Devitofranceschi wrote:

% cat mykrb5.conf
[libdefaults]
default_ccache_name = FILE:/my_ccache_location/krbcc_%{uid}

include /etc/krb5.conf

I cannot find a description of the behaviour of the ‘include’ directive with respect to this kind of thing.

https://web.mit.edu/kerberos/krb5-latest/doc/admin/conf_files/krb5_conf.html#structure

is the documentation we have on the include directive. Your example
should work.

If the system krb5.conf defines default_ccache_name, will my setting take precedence for my application when I set KRB5_CONFIG=/my_config_location/mykrb5.conf in its environment?

In the profile model, a relation can have one or more values, with the
order of values determined by the order of appearance. Some variables
have a defined meaning for multiple values (like "kdc" in a realm
section), but most variables, including default_ccache_name, only have
meaning for a single value.

Unfortunately, different parts of the code are not consistent in how
they handle multiple values for a single-value variable. For variables
handled through libkrb5, like default_ccache_name, the first value is
used. So in your example, your default_ccache_name setting would take precedence over one defined in the system krb5.conf, because it was read
first.

Variables handled through libkadm5 instead use the last value. The
ancient history here is that the kadmin system was written by a
different organization than the one that wrote the rest of krb5.
Changing libkadm5 to be consistent with libkrb5 would have the potential
to break configurations during upgrades, though it might be worth doing
anyway.

The profile library has the concept of marking a section or subsection
as "final", preventing further amendments to that section. But that
concept does not apply to individual relations (although it was
erroneously documented as applying to them prior to 1.17.1).

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

From John Devitofranceschi@21:1/5 to Greg Hudson on Mon Dec 12 16:21:01 2022

Copy: Kerberos@mit.edu

On Dec 12, 2022, at 3:24 PM, Greg Hudson <ghudson@MIT.EDU> wrote:

On 12/12/22 14:04, John Devitofranceschi wrote:

% cat mykrb5.conf
[libdefaults]
default_ccache_name = FILE:/my_ccache_location/krbcc_%{uid}
include /etc/krb5.conf

I cannot find a description of the behaviour of the ‘include’ directive with respect to this kind of thing.

https://web.mit.edu/kerberos/krb5-latest/doc/admin/conf_files/krb5_conf.html#structure

is the documentation we have on the include directive. Your example should work.

Yeah, I read that. It doesn’t really address the precedence question though, does it? Thanks for the confirmation!

In the profile model, a relation can have one or more values, with the order of values determined by the order of appearance. Some variables have a defined meaning for multiple values (like "kdc" in a realm section), but most variables, including

default_ccache_name, only have meaning for a single value.

Unfortunately, different parts of the code are not consistent in how they handle multiple values for a single-value variable. For variables handled through libkrb5, like default_ccache_name, the first value is used. So in your example, your default_

ccache_name setting would take precedence over one defined in the system krb5.conf, because it was read first.

I did come to this conclusion through experimentation (at least for my particular use-cases).

Thanks again,

jd

MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCCDP4w ggY9MIIEJaADAgECAgMU4igwDQYJKoZIhvcNAQENBQAweTEQMA4GA1UEChMHUm9vdCBDQTEeMBwG A1UECxMVaHR0cDovL3d3dy5jYWNlcnQub3JnMSIwIAYDVQQDExlDQSBDZXJ0IFNpZ25pbmcgQXV0 aG9yaXR5MSEwHwYJKoZIhvcNAQkBFhJzdXBwb3J0QGNhY2VydC5vcmcwHhcNMjEwNDE5MTIxODMw WhcNMzEwNDE3MTIxODMwWjBUMRQwEgYDVQQKEwtDQWNlcnQgSW5jLjEeMBwGA1UECxMVaHR0cDov L3d3dy5DQWNlcnQub3JnMRwwGgYDVQQDExNDQWNlcnQgQ2xhc3MgMyBSb290MIICIjANBgkqhkiG 9w0BAQEFAAOCAg8AMIICCgKCAgEAq0k1EUh80iZ+U5TPQ6ndKNdCKovzh3gZWHwPntqJfeH763KQ DXShlmSrn6AkmXPa4lV2xxd79QSsRrjDvn9kjRBsJPNhnMDykPpR5vVpAWPDD1biSkLP4kSMJSio xXkJfUa5ivPp8zQpCEXkHJ/LlAQcgagUs5hlxEPsToKNCdG9qluNktDs3pDFfwrC4+vmMVpedD6X M1nowwM9YDO/99FvR8TN7mKDUm4uCJqk2RUYkaaFkkewrkjrbbch7IUaaHI1q//wEF3A9JSnatU7 kn5MkAV+k8Esi6SOYnQVcW4LcQPqrxU4mtTSBXJvjPkr61pyJfk5RuNyGz4Ew2QnIhAqik9YpwOt vrQuE+1dqkjX1X3UKntc+kYEUOTMDkJbjO3b8s/8lpPg2xE2VGI0OI8MYJs7l1Y4rfPSW4ugW+pO lrh819WghnBA05Ept6I8rfWMu88akorkNHvA2Gxf6QrCw6cgmlrfLF1SXLpH1ZvvJChwOCAv1X8p wLJBA2iSzOCczJdLRe86EAqrcDqYlXCtNbHqhSukHIAhMamuYHqAJkgAuAHAk2NVIpE8Vuev2zol 848xVOomi4FZ+aHRUxHFe50D9nQR4G2xLD8shpGZcZqmd4s0YNEUtCysna+MENOfxGr4bxP8c1n3 ZkJ0Horj+NzSb5icy0eYlUAF++kCAwEAAaOB8jCB7zAPBgNVHRMBAf8EBTADAQH/MGEGCCsGAQUF BwEBBFUwUzAjBggrBgEFBQcwAYYXaHR0cDovL29jc3AuQ0FjZXJ0Lm9yZy8wLAYIKwYBBQUHMAKG IGh0dHA6Ly93d3cuQ0FjZXJ0Lm9yZy9jbGFzczMuY3J0MEUGA1UdIAQ+MDwwOgYLKwYBBAGBkEoC AwEwKzApBggrBgEFBQcCARYdaHR0cDovL3d3dy5DQWNlcnQub3JnL2Nwcy5waHAwMgYDVR0fBCsw KTAnoCWgI4YhaHR0cHM6Ly93d3cuY2FjZXJ0Lm9yZy9jbGFzczMuY3JsMA0GCSqGSIb3DQEBDQUA A4ICAQDGHq13XLQom9HIjUQSwL12dgSDIQf4EYJ/a8GVQsA4EbUlcI2LDMHVbP0cGgN8i/gGMaWd 3kEp1IubhNc9wTeGcaMfW2EpHl13fbvwrbkVGRMU5jWA/6YZtDeFlEHoiMNf4LIGpLv4QKkdOazt 6j+YBE35jPlHeXNS9ezfNJf7Pnfg3NGDiLqIc0dapqQVxA1wDQ+eSxMHfu8YPvmlAap5KbHnUvpT Osimf7bviaGxoU0vzmOFf6Uq6TvUwaPPChOFu5nXnGaQhOdm1FCzoeEtIiolaMMgsivEupgd6Erv XFjCtE2EVvdOuxZoQmySuG94zQ6z+++gs2SH8veIRDn8ueYswJgk1EAsXsjuCx24Ak0muAoYxi8e S3Vujy4hc7zCA1XuqhTgmhoHUwvfRBSoZwWvRMjToUV2ArZ/DLmG6U/GbrC7FbS/6IC1djH+ZGTB ClhtxVC2sgO/HUJPWTnRxDGL6MgqORwVYfDeQGgOcKizT+6R6A9PtpCeTYBsvhzucKS4BwQrDUEC VIROR+qLlu12WGHnwyF7Bm/UtwvnNDKDzDWm5yVPfBdC/LxXA8afQn+YYPiAstn2sZwcNQQKiTEW haT67kwJxWqYZuzIbirmy5LcI2yWwdRF8zxtArigu8dHwsIcQExFx0UGfztxK84rp4HWR0YosDzK ZfFmnzCCBrkwggShoAMCAQICAwL2JjANBgkqhkiG9w0BAQ0FADBUMRQwEgYDVQQKEwtDQWNlcnQg SW5jLjEeMBwGA1UECxMVaHR0cDovL3d3dy5DQWNlcnQub3JnMRwwGgYDVQQDExNDQWNlcnQgQ2xh c3MgMyBSb290MB4XDTIyMDEwODIwMDE1NloXDTI0MDEwODIwMDE1NlowggETMR4wHAYDVQQDExVK b2huIERldml0b2ZyYW5jZXNjaGkxHzAdBgkqhkiG9w0BCQEWEGpkdmZAaG90bWFpbC5jb20xHzAd BgkqhkiG9w0BCQEWEGZvb25vbkBnbWFpbC5jb20xIDAeBgkqhkiG9w0BCQEWEWZvb25vbkBpY2xv dWQuY29tMTAwLgYJKoZIhvcNAQkBFiFqb2huLmRldml0b2ZyYW5jZXNjaGlAb3V0bG9vay5jb20x LjAsBgkqhkiG9w0BCQEWH2pvaG4uZGV2aXRvZnJhbmNlc2NoaUBnbWFpbC5jb20xKzApBgkqhkiG 9w0BCQEWHGpkZXZpdG9mcmFuY2VzY2hpQGljbG91ZC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IB DwAwggEKAoIBAQDOk3Sg39mhtwfIftLEopm/JJivrvgknFl5XEuMAIvxBDHP7+skVmFrkv1W1+Y8 uoHDdhgkt4/nQ70dqcfcMv1UjzCQtEz39JoVWOAwsLkfFLJ46J95wCmwc3oHV+yRJwkxKMn0y9tW qbkxetoSZcQD+eGNw2S5KD2oEl2YdoQruCqZTFNc0SYQs/ZQ3f+5uvTfUa7DJLy/eN5v4J5POyCE 9AVOlflmXroWpm2UINDg3f3g6IXrmhqSFMa42lFJ+5hpXhBWd6RI7B3tkjSA9SpA+zPN4cb1omPI iUqSM7L0hb+29TRgC0Tv0h7tRmhXwA/tDUVK1Pt9wgS+19N/DbqZAgMBAAGjggHRMIIBzTAMBgNV HRMBAf8EAjAAMFYGCWCGSAGG+EIBDQRJFkdUbyBnZXQgeW91ciBvd24gY2VydGlmaWNhdGUgZm9y IEZSRUUgaGVhZCBvdmVyIHRvIGh0dHA6Ly93d3cuQ0FjZXJ0Lm9yZzAOBgNVHQ8BAf8EBAMCA6gw QAYDVR0lBDkwNwYIKwYBBQUHAwQGCCsGAQUFBwMCBgorBgEEAYI3CgMEBgorBgEEAYI3CgMDBglg hkgBhvhCBAEwMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzABhhZodHRwOi8vb2NzcC5jYWNlcnQu b3JnMDgGA1UdHwQxMC8wLaAroCmGJ2h0dHA6Ly9jcmwuY2FjZXJ0Lm9yZy9jbGFzczMtcmV2b2tl LmNybDCBpAYDVR0RBIGcMIGZgRBqZHZmQGhvdG1haWwuY29tgRBmb29ub25AZ21haWwuY29tgRFm b29ub25AaWNsb3VkLmNvbYEham9obi5kZXZpdG9mcmFuY2VzY2hpQG91dGxvb2suY29tgR9qb2hu LmRldml0b2ZyYW5jZXNjaGlAZ21haWwuY29tgRxqZGV2aXRvZnJhbmNlc2NoaUBpY2xvdWQuY29t MA0GCSqGSIb3DQEBDQUAA4ICAQAzfrXKib/LhD8CUaKtIlasYRahBOD2K1iQncXLPB3SloIADwLN E/wAUGjGFgn4UdocYZ2UOdYils/POjZAasoIu6xcFKW9trMg4BvkZuZ46mOR2/ahic6Hl9oMlEZX YU44aFjvM0s1Ftp9RSS17IVuNnO31Kjy0npXFJbV8dMKsj/Y/IzST/OfksMi8HMol+sz1oo+9aOs FHm5eBu8AlVrrs97pV8JajPnKdp6VM3yyH3Zaw6H2UbEVJ3ti0Vn9MmqFafeOfBFLym6FHy3yb4Z g8+PRTY2K4LwaOSly5rciQLtRDdNa8fpLg6MwwjH9aoa21IMCWn6MCHX2+gub8M/xhTigKv2AVPd MoNO0jpEvuvTFz5DcMjzMJmQ1f71XKDbQaRTiACmW/5pJxLj6XSSfhOJNgPNxWBS6qSBWwZ7TXqH Sr21EILlMBt9OhapEUjC+I0iPMVsKYhLvrvyVK6ci//WLJJuT+cCp6Tdas38unWVRYwoIdM+5oY3 fpj0af7eHOygb89V+nBKFxVTyJtjwdstNVI6Gjs5aXvHgardTPPt7VTZ6LpHxtUADAvK4tF78C6D w1aR5jsE9Gq1IL3w8MhYPz0BqbayJ9xKy1ZiqYGdZvdzs20mJCb5X6UJV8uXa/aEIpSxnocXPJeX weSB43qOGOIHSfX4jd1zDa7mszGCAs0wggLJAgEBMFswVDEUMBIGA1UEChMLQ0FjZXJ0IEluYy4x HjAcBgNVBAsTFWh0dHA6Ly93d3cuQ0FjZXJ0Lm9yZzEcMBoGA1UEAxMTQ0FjZXJ0IENsYXNzIDMg Um9vdAIDAvYmMA0GCWCGSAFlAwQCAQUAoIIBQzAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwG CSqGSIb3DQEJBTEPFw0yMjEyMTIyMTIxMDJaMC8GCSqGSIb3DQEJBDEiBCBc2PuLTinrmykiMgae d1HqsgMKi37i+wnSKIVPsfXm3TBqBgkrBgEEAYI3EAQxXTBbMFQxFDASBgNVBAoTC0NBY2VydCBJ bmMuMR4wHAYDVQQLExVodHRwOi8vd3d3LkNBY2VydC5vcmcxHDAaBgNVBAMTE0NBY2VydCBDbGFz cyAzIFJvb3QCAwL2JjBsBgsqhkiG9w0BCRACCzFdoFswVDEUMBIGA1UEChMLQ0FjZXJ0IEluYy4x HjAcBgNVBAsTFWh0dHA6Ly93d3cuQ0FjZXJ0Lm9yZzEcMBoGA1UEAxMTQ0FjZXJ0IENsYXNzIDMg Um9vdAIDAvYmMA0GCSqGSIb3DQEBCwUABIIBAL3PHOEh7yG6v5xNvadB2ggAiabKwFbEwXZDjPG7 Z6q3ZpnoSDW8ZpYO9Ccmm/pmUMLQgUfCcXKWkcv0TAtmY7KDkglcwfelBRB2oSQg8MYIxAnBbu1v MTtbGHu7Pqc2P6TMjmNaefcnx+vnX9I5grcY3Q3F+mGE9e1uA6JUsEB6/IBmJn0sJEsaulQTh9N6 dq/5twV46DHxtL3BEYbCwxcOzU+KSSlnXDS192bBzwS8N4MMxvx/A85Q6Ad3dh+nNdgXcosPj6ok TFa0tWBYNwTV2gVr7OqwJKTU+E7QdQrlYjCGHFw7zMHQzTSGm7/Q8Wpxd+e/RBqOUVHaHH/xRlQA AAAAAAA=

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

From Ken Hornstein@21:1/5 to All on Mon Dec 12 18:47:50 2022

The profile library has the concept of marking a section or subsection
as "final", preventing further amendments to that section. But that
concept does not apply to individual relations (although it was
erroneously documented as applying to them prior to 1.17.1).

When I looked at the finalization support, I found that it had two
unexpected features:

1) The finalization support only works across files; in other words, if
you have KRB5_CONFIG=/etc/file1:/etc/file2, a finalized section in file1
suppresses the same section in file2. But it doesn't work if it's all
within file1.

2) An include statement in a krb5.conf file does NOT count as a new file for
the purposes of finalization.

If I am wrong about these things, I'd sure love a correction. Honestly,
I can't see a reason why a finalized section in a file just doesn't
suppress further sections, even within the same file.

--Ken

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

From Nico Williams@21:1/5 to Ken Hornstein on Fri Feb 24 13:38:03 2023

Copy: Kerberos@mit.edu

On Mon, Dec 12, 2022 at 06:47:50PM -0500, Ken Hornstein via Kerberos wrote:

The profile library has the concept of marking a section or subsection
as "final", preventing further amendments to that section. But that >concept does not apply to individual relations (although it was
erroneously documented as applying to them prior to 1.17.1).

When I looked at the finalization support, I found that it had two
unexpected features:

1) The finalization support only works across files; in other words, if
you have KRB5_CONFIG=/etc/file1:/etc/file2, a finalized section in file1
suppresses the same section in file2. But it doesn't work if it's all
within file1.

2) An include statement in a krb5.conf file does NOT count as a new file for
the purposes of finalization.

If I am wrong about these things, I'd sure love a correction. Honestly,
I can't see a reason why a finalized section in a file just doesn't
suppress further sections, even within the same file.

Hmmm, this could be useful in Heimdal as well. We should at the very
least not trip up over the finalizer token.

Can we get the semantics nailed down?

Nico
--

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Who's Online
Recent Visitors
- Fred Blogs
  Mon Sep 15 00:03:12 2025
  from Uk via SSH
- Plume
  Sun Sep 14 09:34:52 2025
  from Uk via Raw
- Gretchiie
  Sun Sep 14 06:07:30 2025
  from Derry, Nh via Telnet
- Thlc
  Sat Sep 13 17:11:34 2025
  from Rognac, France via Telnet
- Thlc
  Sat Sep 13 17:04:03 2025
  from Rognac, France via Telnet
- Thlc
  Sat Sep 13 16:32:19 2025
  from Rognac, France via SSH
- Thlc
  Sat Sep 13 15:41:11 2025
  from Rognac, France via SSH
- Thlc
  Sat Sep 13 07:56:03 2025
  from Rognac, France via SSH

System Info

Sysop:	Keyop
Location:	Huddersfield, West Yorkshire, UK
Users:	546
Nodes:	16 (2 / 14)
Uptime:	03:10:52
Calls:	10,386
Calls today:	1
Files:	14,057
Messages:	6,416,595

Using a stub krb5.conf with "include"

Who's Online

Recent Visitors

System Info