Skip Menu |
 

Date: Mon, 25 Jan 2021 08:23:30 +0000
To: "krb5-bugs@mit.edu" <krb5-bugs@mit.edu>
From: "Ulf Bremer" <ubremer@juniper.net>
Subject: Documentation__krb5.conf
Hi,

I can't get my head around how the following can be consistent / right:

"
[domain_realm]
The [domain_realm] section provides a translation from a domain name or hostname to a Kerberos realm name. The tag name can be a host name or domain name, where domain names are indicated by a prefix of a period (.).
...

[domain_realm]
crash.mit.edu = TEST.ATHENA.MIT.EDU < --- according to the above a host
.dev.mit.edu = TEST.ATHENA.MIT.EDU < --- according to the above a domain
mit.edu = ATHENA.MIT.EDU < --- according to the above a _host_

... dev.mit.edu ... is matched by the third entry, which maps the host mit.edu and _all hosts under the domain mit.edu_ ... into the realm ATHENA.MIT.EDU.
"

How can a non-domain (as it doesn't start with a . ) apply to "all hosts under the domain"? Any clarification would be much appreciated.

Regards

Ulf

Juniper Business Use Only
Subject: domain_realm documentation is still confusing
There was a historical disagreement between the code and the documentation for [domain_realm].  In the code, a mapping for x.y always implied subdomains of x.y as well as x.y itself, while the documentation originally claimed that it would only apply to x.y.  So, you can still find config fragments floating around in our environment with a lot of redundant [domain_realm] entries (mit.edu and .mit.edu, for instance).

In commit 8f5ce824012f2caab6770df464f096c38dc4cb2e (ticket 7960), we corrected the example and wrote that "A host name relation implicitly provides the corresponding domain name relation, unless an explicit domain name relation is provided."  But I can see how that's unclear; we're still introducing the wrong concepts and then describing the code behavior as an afterthought.  It might be more correct to describe x.y relations as applying to a domain (including all subdomains) and .x.y as applying only to subdomains of x.y.
Here is my proposed wording:

The [domain_realm] section provides a translation from hostnames to
Kerberos realms.  Each tag is a domain name, providing the mapping for
that domain and all subdomains.  If the tag begins with a period
(``.``) then it applies only to subdomains.  The Kerberos realm may be
identified either in the realms_ section or using DNS SRV records.
Tag names should be in lower case.  For example::
 
Subject: git commit
From: ghudson@mit.edu

Clarify domain_realm documentation

The [domain_realm] section provides a mapping from hostnames to realm
names, but the individual mappings apply to domains (including
subdomains) or subdomains, not to hostnames. Reported by Ulf Bremer.

https://github.com/krb5/krb5/commit/fcdaede53ba4c828b6bec48e54621cf6ce0e145a
Author: Greg Hudson <ghudson@mit.edu>
Commit: fcdaede53ba4c828b6bec48e54621cf6ce0e145a
Branch: master
doc/admin/conf_files/krb5_conf.rst | 13 +++++--------
1 files changed, 5 insertions(+), 8 deletions(-)