Lines with "=" in krb5.conf

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Lines with "=" in krb5.conf

Weijun Wang
Hi All,

We (Java SE at Oracle) received a bug report that Java cannot deal with krb5.conf containing the following lines:

         [realms]
              ATHENA.MIT.EDU = {
                  auth_to_local = {
                      RULE:[2:$1](johndoe)s/^.*$/guest/
                      RULE:[2:$1;$2](^.*;admin$)s/;admin$//
                      RULE:[2:$2](^.*;root)s/^.*$/root/
                      DEFAULT
                      }
                  }

Is this legal? I tried it with the latest MIT krb5 and saw a "krb5kdc: Improper format of Kerberos configuration file while initializing krb5" error.

Or does any other krb5 vendor support this format?

Thanks,
Max


_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: Lines with "=" in krb5.conf

Alexandr Nedvedicky
Hello Max,

let's take it off-line. I assume your kerberos  is running on Solaris, right?
if it is the case, then we should take it off-list.

Send me a direct email to company address.

thanks and
regard
ssasha


On Tue, Jan 15, 2019 at 10:12:47PM +0800, Weijun Wang wrote:

> Hi All,
>
> We (Java SE at Oracle) received a bug report that Java cannot deal with krb5.conf containing the following lines:
>
>          [realms]
>               ATHENA.MIT.EDU = {
>                   auth_to_local = {
>                       RULE:[2:$1](johndoe)s/^.*$/guest/
>                       RULE:[2:$1;$2](^.*;admin$)s/;admin$//
>                       RULE:[2:$2](^.*;root)s/^.*$/root/
>                       DEFAULT
>                       }
>                   }
>
> Is this legal? I tried it with the latest MIT krb5 and saw a "krb5kdc: Improper format of Kerberos configuration file while initializing krb5" error.
>
> Or does any other krb5 vendor support this format?
>
> Thanks,
> Max
>
>
> _______________________________________________
> krbdev mailing list             [hidden email]
> https://mailman.mit.edu/mailman/listinfo/krbdev
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: Lines with "=" in krb5.conf

Weijun Wang


> On Jan 15, 2019, at 10:53 PM, Alexandr Nedvedicky <[hidden email]> wrote:
>
> Hello Max,
>
> let's take it off-line. I assume your kerberos  is running on Solaris, right?

No. According to the bug report at https://bugs.openjdk.java.net/browse/JDK-8216173, platform is Linux.

Thanks,
Max

> if it is the case, then we should take it off-list.
>
> Send me a direct email to company address.
>
> thanks and
> regard
> ssasha
>
>
> On Tue, Jan 15, 2019 at 10:12:47PM +0800, Weijun Wang wrote:
>> Hi All,
>>
>> We (Java SE at Oracle) received a bug report that Java cannot deal with krb5.conf containing the following lines:
>>
>>         [realms]
>>              ATHENA.MIT.EDU = {
>>                  auth_to_local = {
>>                      RULE:[2:$1](johndoe)s/^.*$/guest/
>>                      RULE:[2:$1;$2](^.*;admin$)s/;admin$//
>>                      RULE:[2:$2](^.*;root)s/^.*$/root/
>>                      DEFAULT
>>                      }
>>                  }
>>
>> Is this legal? I tried it with the latest MIT krb5 and saw a "krb5kdc: Improper format of Kerberos configuration file while initializing krb5" error.
>>
>> Or does any other krb5 vendor support this format?
>>
>> Thanks,
>> Max
>>
>>
>> _______________________________________________
>> krbdev mailing list             [hidden email]
>> https://mailman.mit.edu/mailman/listinfo/krbdev


_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: Lines with "=" in krb5.conf

Greg Hudson
In reply to this post by Weijun Wang
On 1/15/19 9:12 AM, Weijun Wang wrote:

>          [realms]
>               ATHENA.MIT.EDU = {
>                   auth_to_local = {
>                       RULE:[2:$1](johndoe)s/^.*$/guest/
>                       RULE:[2:$1;$2](^.*;admin$)s/;admin$//
>                       RULE:[2:$2](^.*;root)s/^.*$/root/
>                       DEFAULT
>                       }
>                   }
>
> Is this legal? I tried it with the latest MIT krb5 and saw a "krb5kdc: Improper format of Kerberos configuration file while initializing krb5" error.
>
> Or does any other krb5 vendor support this format?

I don't think so.  MIT krb5 only expects relations (a = b) within a
braced subsection, and my read of the Heimdal code is that it does as well.

_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: Lines with "=" in krb5.conf

Alexandr Nedvedicky
Hello,

On Wed, Jan 16, 2019 at 12:28:54AM -0500, Greg Hudson wrote:

> On 1/15/19 9:12 AM, Weijun Wang wrote:
> >          [realms]
> >               ATHENA.MIT.EDU = {
> >                   auth_to_local = {
> >                       RULE:[2:$1](johndoe)s/^.*$/guest/
> >                       RULE:[2:$1;$2](^.*;admin$)s/;admin$//
> >                       RULE:[2:$2](^.*;root)s/^.*$/root/
> >                       DEFAULT
> >                       }
> >                   }
> >
> > Is this legal? I tried it with the latest MIT krb5 and saw a "krb5kdc: Improper format of Kerberos configuration file while initializing krb5" error.
> >
> > Or does any other krb5 vendor support this format?
>
> I don't think so.  MIT krb5 only expects relations (a = b) within a
> braced subsection, and my read of the Heimdal code is that it does as well.

    I believe the snippet pasted by Weijun comes from here:

        https://web.mit.edu/kerberos/krb5-latest/doc/admin/conf_files/krb5_conf.html
        [ search for auth_to_local ]

    however for 1.17 version the same paragraph uses format as follows

        [realms]
            ATHENA.MIT.EDU = {
                auth_to_local = RULE:[2:$1](johndoe)s/^.*$/guest/
                auth_to_local = RULE:[2:$1;$2](^.*;admin$)s/;admin$//
                auth_to_local = RULE:[2:$2](^.*;root)s/^.*$/root/
                auth_to_local = DEFAULT
            }

    So it looks like the krb5-latest doc is kind of confusing.

regards
sasha
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: Lines with "=" in krb5.conf

Weijun Wang


> On Jan 16, 2019, at 4:43 PM, Alexandr Nedvedicky <[hidden email]> wrote:
>
> Hello,
>
> On Wed, Jan 16, 2019 at 12:28:54AM -0500, Greg Hudson wrote:
>> On 1/15/19 9:12 AM, Weijun Wang wrote:
>>>       [realms]
>>>            ATHENA.MIT.EDU = {
>>>                auth_to_local = {
>>>                    RULE:[2:$1](johndoe)s/^.*$/guest/
>>>                    RULE:[2:$1;$2](^.*;admin$)s/;admin$//
>>>                    RULE:[2:$2](^.*;root)s/^.*$/root/
>>>                    DEFAULT
>>>                    }
>>>                }
>>>
>>> Is this legal? I tried it with the latest MIT krb5 and saw a "krb5kdc: Improper format of Kerberos configuration file while initializing krb5" error.
>>>
>>> Or does any other krb5 vendor support this format?
>>
>> I don't think so.  MIT krb5 only expects relations (a = b) within a
>> braced subsection, and my read of the Heimdal code is that it does as well.
>
>  I believe the snippet pasted by Weijun comes from here:
>
> https://web.mit.edu/kerberos/krb5-latest/doc/admin/conf_files/krb5_conf.html
> [ search for auth_to_local ]

On my machine the krb5_conf.html file for krb5-latest and krb5-1.17 are exactly the same.

--Max

>
>  however for 1.17 version the same paragraph uses format as follows
>
> [realms]
>    ATHENA.MIT.EDU = {
> auth_to_local = RULE:[2:$1](johndoe)s/^.*$/guest/
> auth_to_local = RULE:[2:$1;$2](^.*;admin$)s/;admin$//
> auth_to_local = RULE:[2:$2](^.*;root)s/^.*$/root/
> auth_to_local = DEFAULT
>    }
>
>  So it looks like the krb5-latest doc is kind of confusing.
>
> regards
> sasha


_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: Lines with "=" in krb5.conf

Alexandr Nedvedicky
In reply to this post by Alexandr Nedvedicky
Hello,

ignore my earlier email. I should ask optician for glasses.
1.17 and latest docs are consistent in description of auth_to_local.
entirely my fault.

regards
sasha

On Wed, Jan 16, 2019 at 09:43:38AM +0100, Alexandr Nedvedicky wrote:

> Hello,
>
> On Wed, Jan 16, 2019 at 12:28:54AM -0500, Greg Hudson wrote:
> > On 1/15/19 9:12 AM, Weijun Wang wrote:
> > >          [realms]
> > >               ATHENA.MIT.EDU = {
> > >                   auth_to_local = {
> > >                       RULE:[2:$1](johndoe)s/^.*$/guest/
> > >                       RULE:[2:$1;$2](^.*;admin$)s/;admin$//
> > >                       RULE:[2:$2](^.*;root)s/^.*$/root/
> > >                       DEFAULT
> > >                       }
> > >                   }
> > >
> > > Is this legal? I tried it with the latest MIT krb5 and saw a "krb5kdc: Improper format of Kerberos configuration file while initializing krb5" error.
> > >
> > > Or does any other krb5 vendor support this format?
> >
> > I don't think so.  MIT krb5 only expects relations (a = b) within a
> > braced subsection, and my read of the Heimdal code is that it does as well.
>
>     I believe the snippet pasted by Weijun comes from here:
>
> https://web.mit.edu/kerberos/krb5-latest/doc/admin/conf_files/krb5_conf.html
> [ search for auth_to_local ]
>
>     however for 1.17 version the same paragraph uses format as follows
>
> [realms]
>    ATHENA.MIT.EDU = {
> auth_to_local = RULE:[2:$1](johndoe)s/^.*$/guest/
> auth_to_local = RULE:[2:$1;$2](^.*;admin$)s/;admin$//
> auth_to_local = RULE:[2:$2](^.*;root)s/^.*$/root/
> auth_to_local = DEFAULT
>    }
>
>     So it looks like the krb5-latest doc is kind of confusing.

sorry I oversought
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: Lines with "=" in krb5.conf

Weijun Wang
I contacted with the bug reporter personally and he confirmed it was a false report. Thanks everyone.

--Max

> On Jan 16, 2019, at 7:55 PM, Alexandr Nedvedicky <[hidden email]> wrote:
>
> Hello,
>
> ignore my earlier email. I should ask optician for glasses.
> 1.17 and latest docs are consistent in description of auth_to_local.
> entirely my fault.
>
> regards
> sasha
>
> On Wed, Jan 16, 2019 at 09:43:38AM +0100, Alexandr Nedvedicky wrote:
>> Hello,
>>
>> On Wed, Jan 16, 2019 at 12:28:54AM -0500, Greg Hudson wrote:
>>> On 1/15/19 9:12 AM, Weijun Wang wrote:
>>>>         [realms]
>>>>              ATHENA.MIT.EDU = {
>>>>                  auth_to_local = {
>>>>                      RULE:[2:$1](johndoe)s/^.*$/guest/
>>>>                      RULE:[2:$1;$2](^.*;admin$)s/;admin$//
>>>>                      RULE:[2:$2](^.*;root)s/^.*$/root/
>>>>                      DEFAULT
>>>>                      }
>>>>                  }
>>>>
>>>> Is this legal? I tried it with the latest MIT krb5 and saw a "krb5kdc: Improper format of Kerberos configuration file while initializing krb5" error.
>>>>
>>>> Or does any other krb5 vendor support this format?
>>>
>>> I don't think so.  MIT krb5 only expects relations (a = b) within a
>>> braced subsection, and my read of the Heimdal code is that it does as well.
>>
>>    I believe the snippet pasted by Weijun comes from here:
>>
>> https://web.mit.edu/kerberos/krb5-latest/doc/admin/conf_files/krb5_conf.html
>> [ search for auth_to_local ]
>>
>>    however for 1.17 version the same paragraph uses format as follows
>>
>> [realms]
>>    ATHENA.MIT.EDU = {
>> auth_to_local = RULE:[2:$1](johndoe)s/^.*$/guest/
>> auth_to_local = RULE:[2:$1;$2](^.*;admin$)s/;admin$//
>> auth_to_local = RULE:[2:$2](^.*;root)s/^.*$/root/
>> auth_to_local = DEFAULT
>>    }
>>
>>    So it looks like the krb5-latest doc is kind of confusing.
>
> sorry I oversought
> _______________________________________________
> krbdev mailing list             [hidden email]
> https://mailman.mit.edu/mailman/listinfo/krbdev


_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev