Skip Menu |
 

Download (untitled) / with headers
text/plain 4.9KiB
From kenh@cmf.nrl.navy.mil Thu Nov 7 11:40:03 1996
Received: from MIT.EDU (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.69.0.28]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id LAA25135 for <bugs@RT-11.MIT.EDU>; Thu, 7 Nov 1996 11:40:03 -0500
Received: from [134.207.10.161] by MIT.EDU with SMTP
id AA10378; Thu, 7 Nov 96 11:40:01 EST
Received: from elvis.cmf.nrl.navy.mil (kenh@elvis.cmf.nrl.navy.mil [134.207.10.38]) by ginger.cmf.nrl.navy.mil (8.7.5/8.7.3) with ESMTP id LAA02747 for <krb5-bugs@mit.edu>; Thu, 7 Nov 1996 11:40:00 -0500 (EST)
Received: (kenh@localhost) by elvis.cmf.nrl.navy.mil (8.6.12/8.6.11) id LAA05501; Thu, 7 Nov 1996 11:39:51 -0500
Message-Id: <199611071639.LAA05501@elvis.cmf.nrl.navy.mil>
Date: Thu, 7 Nov 1996 11:39:51 -0500
From: Ken Hornstein <kenh@cmf.nrl.navy.mil>
Reply-To: kenh@cmf.nrl.navy.mil
To: krb5-bugs@MIT.EDU
Subject: kadmin's "list_principals" doesn't really list all principals
X-Send-Pr-Version: 3.2

Show quoted text
>Number: 161
>Category: krb5-admin
>Synopsis: kadmin's list_principals doesn't list all principals
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: bjaspan
>State: closed
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Thu Nov 07 11:41:00 EST 1996
>Last-Modified: Thu Nov 07 16:44:10 EST 1996
>Originator: Ken Hornstein
>Organization:
Naval Research Lab
Show quoted text
>Release: beta-7
>Environment:

System: SunOS elvis 4.1.3_U1 13 sun4m
Architecture: sun4

Show quoted text
>Description:

I discovered that "list_principals" without an expression doesn't really list
all principals -- it only lists principals in the local realm. You wouldn't
normally notice this, but I did when I was setting up cross-cell
authentication.

Since the documentation says that list_principals without an expression lists
all principals, it's either a documentation bug, or a software bug. IMHO,
it's a software bug, since the Principle of Least Astonishment would say
that list_principals really _should_ list all principals.
Show quoted text
>How-To-Repeat:

Create a principal with a realm that isn't the same as your local cell, and
note that list_principals doesn't show it.
Show quoted text
>Fix:

The following patch fixes the problem. Not really sure if this belongs in
the library or the cli, but it does the right thing for me.

--- lib/kadm5/srv/svr_iters.c.orig Thu Nov 7 11:24:51 1996
+++ lib/kadm5/srv/svr_iters.c Thu Nov 7 11:25:04 1996
@@ -180,7 +180,7 @@

*count = 0;
if (exp == NULL)
- exp = "*";
+ exp = "*@*";

CHECK_HANDLE(server_handle);

Show quoted text
>Audit-Trail:

From: "Barry Jaspan" <bjaspan@MIT.EDU>
To: krb5-bugs@MIT.EDU, kenh@cmf.nrl.navy.mil
Cc: Subject: Re: krb5-admin/161: kadmin's "list_principals" doesn't really list all principals
Date: Thu, 7 Nov 1996 17:09:01 GMT

This was an explicit decision. Maybe it was wrong, and I cannot
really remember my reasoning, but the code is very explicitly written
to have this behavior.

Originally, list_principals (or kadm5_get_principals, which it uses)
did nothing special for the realm. The problem was then that
"list_principals */ddn.mit.edu" didn't match *anything* because it
contained no realm whatsoever (the glob is converted to an anchored
regexp). So I had to add some default behavior when no @ was
specified in the principal glob. I considered @LOCAL.REAM and @*, and
went with @LOCAL.REALM. I don't remember why.

Perhaps my reasoning was that @* is shorter to type that @LOCAL.REALM.


From: Ken Hornstein <kenh@cmf.nrl.navy.mil>
To: "Barry Jaspan" <bjaspan@MIT.EDU>
Cc: krb5-bugs@MIT.EDU
Subject: Re: krb5-admin/161: kadmin's "list_principals" doesn't really list all principals
Date: Thu, 07 Nov 1996 12:15:34 -0500

Show quoted text
>Originally, list_principals (or kadm5_get_principals, which it uses)
>did nothing special for the realm. The problem was then that
>"list_principals */ddn.mit.edu" didn't match *anything* because it
>contained no realm whatsoever (the glob is converted to an anchored
>regexp). So I had to add some default behavior when no @ was
>specified in the principal glob. I considered @LOCAL.REAM and @*, and
>went with @LOCAL.REALM. I don't remember why.
>
>Perhaps my reasoning was that @* is shorter to type that @LOCAL.REALM.

While I don't have any problem with the behavior of the glob conversion
when you _give_ it a glob expression, it's the case when there isn't a glob
that I think is a bug. IMHO, the expression that the library uses when
the expression argument is null should really match all principals.

If you don't accept this patch, then at least change the documentation for
list_principals to say that when no glob is given, all principals in _the
local realm_ are listed. That's what really confused me about this behavior.

--Ken

State-Changed-From-To: open-closed
State-Changed-By: bjaspan
State-Changed-When: Thu Nov 7 16:43:37 1996
State-Changed-Why:

Ken is right, @* has less surprise value than @LOCAL.REALM.

Fixed:

lib/kadm5/srv/ChangeLog
lib/kadm5/srv/svr_iters.c

Show quoted text
>Unformatted: