From: Ben Kaduk Date: Mon, 12 Aug 2013 17:47:42 +0000 (-0400) Subject: Remove redundant domain_realm mappings X-Git-Tag: krb5-1.12-alpha1~63 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8f5ce824012f2caab6770df464f096c38dc4cb2e;p=thirdparty%2Fkrb5.git Remove redundant domain_realm mappings This fixes a long-standing documentation bug where we claimed that a domain_realm mapping for a host name would not affect entries under that domain name. The code has always had the behavior where a host name mapping implies the corresponding domain name mapping, since the 1.0 release. While here, replace media-lab with csail in example files, as the media lab realm is no longer in use. Also strip port 88 from KDC specifications, and drop the harmful default_{tgs,tkt}_enctypes lines from src/util/profile/krb5.conf. Further cleanup on these files to remove defunct realms may be in order. ticket: 7690 (new) tags: pullup target_version: 1.11.4 --- diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst index 699628f563..40630277b9 100644 --- a/doc/admin/conf_files/krb5_conf.rst +++ b/doc/admin/conf_files/krb5_conf.rst @@ -467,7 +467,9 @@ The [domain_realm] section provides a translation from a domain name or hostname to a Kerberos realm name. The tag name can be a host name or domain name, where domain names are indicated by a prefix of a period (``.``). The value of the relation is the Kerberos realm name -for that particular host or domain. The Kerberos realm may be +for that particular host or domain. A host name relation implicitly +provides the corresponding domain name relation, unless an explicit domain +name relation is provided. The Kerberos realm may be identified either in the realms_ section or using DNS SRV records. Host names and domain names should be in lower case. For example: @@ -475,14 +477,16 @@ Host names and domain names should be in lower case. For example: [domain_realm] crash.mit.edu = TEST.ATHENA.MIT.EDU - .mit.edu = ATHENA.MIT.EDU + .dev.mit.edu = TEST.ATHENA.MIT.EDU mit.edu = ATHENA.MIT.EDU -maps the host with the exact name ``crash.mit.edu`` into the -TEST.ATHENA.MIT.EDU realm. The period prefix in ``.mit.edu`` denotes -that all systems in the ``mit.edu`` domain belong to -``ATHENA.MIT.EDU`` realm. The third entry maps the host ``mit.edu`` -itself to the ``ATHENA.MIT.EDU`` realm. +maps the host with the name ``crash.mit.edu`` into the +``TEST.ATHENA.MIT.EDU`` realm. The second entry maps all hosts under the +domain ``dev.mit.edu`` into the ``TEST.ATHENA.MIT.EDU`` realm, but not +the host with the name ``dev.mit.edu``. That host is matched +by the third entry, which maps the host ``mit.edu`` and all hosts +under the domain ``mit.edu`` that do not match a preceding rule +into the realm ``ATHENA.MIT.EDU``. If no translation entry applies to a hostname used for a service principal for a service ticket request, the library will try to get a diff --git a/src/config-files/krb5.conf b/src/config-files/krb5.conf index 210348fa18..62fbbd6006 100644 --- a/src/config-files/krb5.conf +++ b/src/config-files/krb5.conf @@ -16,10 +16,8 @@ } [domain_realm] - .mit.edu = ATHENA.MIT.EDU mit.edu = ATHENA.MIT.EDU - .media.mit.edu = MEDIA-LAB.MIT.EDU - media.mit.edu = MEDIA-LAB.MIT.EDU + csail.mit.edu = CSAIL.MIT.EDU .ucsc.edu = CATS.UCSC.EDU [logging] diff --git a/src/util/profile/krb5.conf b/src/util/profile/krb5.conf index 73f58b90ca..aefe4abb96 100644 --- a/src/util/profile/krb5.conf +++ b/src/util/profile/krb5.conf @@ -1,18 +1,15 @@ [libdefaults] default_realm = ATHENA.MIT.EDU - default_tgs_enctypes = des-cbc-crc - default_tkt_enctypes = des-cbc-crc - default_keytab_name = FILE:/etc/krb5.keytab kdc_timesync = 1 ccache_type = 4 [realms] ATHENA.MIT.EDU = { # kdc = kerberos-2000.mit.edu - kdc = kerberos.mit.edu:88 - kdc = kerberos-1.mit.edu:88 - kdc = kerberos-2.mit.edu:88 - kdc = kerberos-3.mit.edu:88 + kdc = kerberos.mit.edu + kdc = kerberos-1.mit.edu + kdc = kerberos-2.mit.edu + kdc = kerberos-3.mit.edu admin_server = kerberos.mit.edu default_domain = mit.edu } @@ -26,8 +23,8 @@ admin_server = casio.mit.edu } MOOF.MIT.EDU = { - kdc = three-headed-dogcow.mit.edu:88 - kdc = three-headed-dogcow-1.mit.edu:88 + kdc = three-headed-dogcow.mit.edu + kdc = three-headed-dogcow-1.mit.edu admin_server = three-headed-dogcow.mit.edu } CYGNUS.COM = { @@ -45,10 +42,8 @@ } [domain_realm] - .mit.edu = ATHENA.MIT.EDU mit.edu = ATHENA.MIT.EDU - .media.mit.edu = MEDIA-LAB.MIT.EDU - media.mit.edu = MEDIA-LAB.MIT.EDU + csail.mit.edu = CSAIL.MIT.EDU [login] krb4_convert = true diff --git a/src/windows/installer/wix/athena/krb5.ini b/src/windows/installer/wix/athena/krb5.ini index 169f8b1ac3..49b10fdc7e 100644 --- a/src/windows/installer/wix/athena/krb5.ini +++ b/src/windows/installer/wix/athena/krb5.ini @@ -3,9 +3,6 @@ allow_weak_crypto = true [domain_realm] - .mit.edu = ATHENA.MIT.EDU mit.edu = ATHENA.MIT.EDU - .win.mit.edu = WIN.MIT.EDU win.mit.edu = WIN.MIT.EDU - .csail.mit.edu = CSAIL.MIT.EDU csail.mit.edu = CSAIL.MIT.EDU