| From: | Blake Frantz <bfrantz@cisecurity.org> |
| To: | "krb5-bugs@mit.edu" <krb5-bugs@mit.edu> |
| Subject: | Documentation__kdc.conf vs man kdc.conf, etc |
| Date: | Tue, 16 Oct 2012 04:03:49 +0000 |
Hi,
There appears to be inconsistency between man kdc.conf and http://web.mit.edu/kerberos/krb5-current/doc/krb_admins/conf_files/kdc_conf.html with respect to the sections allowed in kdc.conf.
man kdc.conf says:
--8<--
The following sections are currently used in the kdc.conf file:
[kdcdefaults]
Contains parameters which control the overall behaviour of the KDC.
[realms]
Contains subsections keyed by Kerberos realm names which describe per-realm KDC parameters.
-->8--
While http://web.mit.edu/kerberos/krb5-current/doc/krb_admins/conf_files/kdc_conf.html says:
--8<--
The kdc.conf file may contain the following sections:
[kdcdefaults] Default values for KDC behavior
[realms] Realm-specific database configuration and settings
[dbdefaults] Default database settings
[dbmodules] Per-database settings
[logging] Controls how Kerberos daemons perform logging
-->8--
Given the above, we can see that web.mit.edu states three additional sections are permitted in kdc.conf that man does not list.
Additionally, with respect to krb5.conf, http://web.mit.edu/kerberos/krb5-current/doc/krb_admins/conf_files/krb5_conf.html says:
The krb5.conf file may contain the following sections:
[libdefaults] Settings used by the Kerberos V5 library
[realms] Realm-specific contact information and settings
[domain_realm] Maps server hostnames to Kerberos realms
[capaths] Authentication paths for non-hierarchical cross-realm
[appdefaults] Settings used by some Kerberos V5 applications
[plugins] Controls plugin module registration
If the sections for kdc.conf and krb5.conf, as given by web.mit.edu, are taken as a set, it seems neither file is allowed to have the [login] section.
Finally, with respect to kdc.conf, is it recommended to put the [plugins] section in krb5.conf instead of kdc.conf on a KDC, as implied by web.mit.edu in the above URLs?
Thanks for your time.
Blake
This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.
There appears to be inconsistency between man kdc.conf and http://web.mit.edu/kerberos/krb5-current/doc/krb_admins/conf_files/kdc_conf.html with respect to the sections allowed in kdc.conf.
man kdc.conf says:
--8<--
The following sections are currently used in the kdc.conf file:
[kdcdefaults]
Contains parameters which control the overall behaviour of the KDC.
[realms]
Contains subsections keyed by Kerberos realm names which describe per-realm KDC parameters.
-->8--
While http://web.mit.edu/kerberos/krb5-current/doc/krb_admins/conf_files/kdc_conf.html says:
--8<--
The kdc.conf file may contain the following sections:
[kdcdefaults] Default values for KDC behavior
[realms] Realm-specific database configuration and settings
[dbdefaults] Default database settings
[dbmodules] Per-database settings
[logging] Controls how Kerberos daemons perform logging
-->8--
Given the above, we can see that web.mit.edu states three additional sections are permitted in kdc.conf that man does not list.
Additionally, with respect to krb5.conf, http://web.mit.edu/kerberos/krb5-current/doc/krb_admins/conf_files/krb5_conf.html says:
The krb5.conf file may contain the following sections:
[libdefaults] Settings used by the Kerberos V5 library
[realms] Realm-specific contact information and settings
[domain_realm] Maps server hostnames to Kerberos realms
[capaths] Authentication paths for non-hierarchical cross-realm
[appdefaults] Settings used by some Kerberos V5 applications
[plugins] Controls plugin module registration
If the sections for kdc.conf and krb5.conf, as given by web.mit.edu, are taken as a set, it seems neither file is allowed to have the [login] section.
Finally, with respect to kdc.conf, is it recommended to put the [plugins] section in krb5.conf instead of kdc.conf on a KDC, as implied by web.mit.edu in the above URLs?
Thanks for your time.
Blake
This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.