Remove redundant domain_realm mappings

This fixes a long-standing documentation bug where we claimed that
a domain_realm mapping for a host name would not affect entries
under that domain name.  The code has always had the behavior where
a host name mapping implies the corresponding domain name mapping,
since the 1.0 release.

While here, replace media-lab with csail in example files, as the
media lab realm is no longer in use.  Also strip port 88 from KDC
specifications, and drop the harmful default_{tgs,tkt}_enctypes
lines from src/util/profile/krb5.conf.

Further cleanup on these files to remove defunct realms may be in order.

ticket: 7690 (new)
tags: pullup
target_version: 1.11.4

diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst
index 699628f563ce18b69f5a7136c1cdf0142af9e9dd..40630277b9a701cea8837f61c1d6b2f0881315d0 100644 (file)
--- a/doc/admin/conf_files/krb5_conf.rst
+++ b/doc/admin/conf_files/krb5_conf.rst
@@ -467,7 +467,9 @@ The [domain_realm] section provides a translation from a domain name
 or hostname to a Kerberos realm name.  The tag name can be a host name
 or domain name, where domain names are indicated by a prefix of a
 period (``.``).  The value of the relation is the Kerberos realm name
-for that particular host or domain.  The Kerberos realm may be
+for that particular host or domain.  A host name relation implicitly
+provides the corresponding domain name relation, unless an explicit domain
+name relation is provided.  The Kerberos realm may be
 identified either in the realms_ section or using DNS SRV records.
 Host names and domain names should be in lower case.  For example:
 
@@ -475,14 +477,16 @@ Host names and domain names should be in lower case.  For example:
 
     [domain_realm]
         crash.mit.edu = TEST.ATHENA.MIT.EDU
-        .mit.edu = ATHENA.MIT.EDU
+       .dev.mit.edu = TEST.ATHENA.MIT.EDU
         mit.edu = ATHENA.MIT.EDU
 
-maps the host with the exact name ``crash.mit.edu`` into the
-TEST.ATHENA.MIT.EDU realm.  The period prefix in ``.mit.edu`` denotes
-that all systems in the ``mit.edu`` domain belong to
-``ATHENA.MIT.EDU`` realm.  The third entry maps the host ``mit.edu``
-itself to the ``ATHENA.MIT.EDU`` realm.
+maps the host with the name ``crash.mit.edu`` into the
+``TEST.ATHENA.MIT.EDU`` realm.  The second entry maps all hosts under the
+domain ``dev.mit.edu`` into the ``TEST.ATHENA.MIT.EDU`` realm, but not
+the host with the name ``dev.mit.edu``.  That host is matched
+by the third entry, which maps the host ``mit.edu`` and all hosts
+under the domain ``mit.edu`` that do not match a preceding rule
+into the realm ``ATHENA.MIT.EDU``.
 
 If no translation entry applies to a hostname used for a service
 principal for a service ticket request, the library will try to get a

diff --git a/src/config-files/krb5.conf b/src/config-files/krb5.conf
index 210348fa18935a2106d3096fbb7be35d8c7378a8..62fbbd600624bcff96de5b9954d42b8a27949262 100644 (file)
--- a/src/config-files/krb5.conf
+++ b/src/config-files/krb5.conf
@@ -16,10 +16,8 @@
        }
 
 [domain_realm]
-       .mit.edu = ATHENA.MIT.EDU
        mit.edu = ATHENA.MIT.EDU
-       .media.mit.edu = MEDIA-LAB.MIT.EDU
-       media.mit.edu = MEDIA-LAB.MIT.EDU
+       csail.mit.edu = CSAIL.MIT.EDU
        .ucsc.edu = CATS.UCSC.EDU
 
 [logging]

diff --git a/src/util/profile/krb5.conf b/src/util/profile/krb5.conf
index 73f58b90ca2dd085a3c9b860e71e7fe45b7871e8..aefe4abb96d6b9946e140e59d81293078aa7f96f 100644 (file)
--- a/src/util/profile/krb5.conf
+++ b/src/util/profile/krb5.conf
@@ -1,18 +1,15 @@
 [libdefaults]
        default_realm = ATHENA.MIT.EDU 
-       default_tgs_enctypes = des-cbc-crc
-       default_tkt_enctypes = des-cbc-crc
-       default_keytab_name = FILE:/etc/krb5.keytab
        kdc_timesync = 1
        ccache_type = 4
 
 [realms] 
        ATHENA.MIT.EDU = { 
 #              kdc = kerberos-2000.mit.edu
-               kdc = kerberos.mit.edu:88
-               kdc = kerberos-1.mit.edu:88
-               kdc = kerberos-2.mit.edu:88
-               kdc = kerberos-3.mit.edu:88
+               kdc = kerberos.mit.edu
+               kdc = kerberos-1.mit.edu
+               kdc = kerberos-2.mit.edu
+               kdc = kerberos-3.mit.edu
                admin_server = kerberos.mit.edu
                default_domain = mit.edu
        } 
@@ -26,8 +23,8 @@
                admin_server = casio.mit.edu
        }
        MOOF.MIT.EDU = {
-               kdc = three-headed-dogcow.mit.edu:88
-               kdc = three-headed-dogcow-1.mit.edu:88
+               kdc = three-headed-dogcow.mit.edu
+               kdc = three-headed-dogcow-1.mit.edu
                admin_server = three-headed-dogcow.mit.edu
        }
        CYGNUS.COM = {
@@ -45,10 +42,8 @@
        }
 
 [domain_realm]
-       .mit.edu = ATHENA.MIT.EDU
        mit.edu = ATHENA.MIT.EDU
-       .media.mit.edu = MEDIA-LAB.MIT.EDU
-       media.mit.edu = MEDIA-LAB.MIT.EDU
+       csail.mit.edu = CSAIL.MIT.EDU
 
 [login]
        krb4_convert = true

diff --git a/src/windows/installer/wix/athena/krb5.ini b/src/windows/installer/wix/athena/krb5.ini
index 169f8b1ac38226e8a26857a90b4a2654d44f35ae..49b10fdc7ea5a84a94971a6f77b3ef789f9d053d 100644 (file)
--- a/src/windows/installer/wix/athena/krb5.ini
+++ b/src/windows/installer/wix/athena/krb5.ini
@@ -3,9 +3,6 @@
        allow_weak_crypto = true
 
 [domain_realm]
-       .mit.edu = ATHENA.MIT.EDU
        mit.edu = ATHENA.MIT.EDU
-       .win.mit.edu = WIN.MIT.EDU
        win.mit.edu = WIN.MIT.EDU
-       .csail.mit.edu = CSAIL.MIT.EDU
        csail.mit.edu = CSAIL.MIT.EDU