diff options
author | Ben Kaduk <kaduk@mit.edu> | 2013-08-12 13:47:42 -0400 |
---|---|---|
committer | Ben Kaduk <kaduk@mit.edu> | 2013-08-12 15:28:07 -0400 |
commit | 8f5ce824012f2caab6770df464f096c38dc4cb2e (patch) | |
tree | 80c2374cf7b3a2a3d0ef0c173ba9eb41c5f69cd4 /doc | |
parent | 37eb601a1294244b179cb0e6e6cfb4a16709ccfa (diff) | |
download | krb5-8f5ce824012f2caab6770df464f096c38dc4cb2e.tar.gz krb5-8f5ce824012f2caab6770df464f096c38dc4cb2e.tar.xz krb5-8f5ce824012f2caab6770df464f096c38dc4cb2e.zip |
Remove redundant domain_realm mappings
This fixes a long-standing documentation bug where we claimed that
a domain_realm mapping for a host name would not affect entries
under that domain name. The code has always had the behavior where
a host name mapping implies the corresponding domain name mapping,
since the 1.0 release.
While here, replace media-lab with csail in example files, as the
media lab realm is no longer in use. Also strip port 88 from KDC
specifications, and drop the harmful default_{tgs,tkt}_enctypes
lines from src/util/profile/krb5.conf.
Further cleanup on these files to remove defunct realms may be in order.
ticket: 7690 (new)
tags: pullup
target_version: 1.11.4
Diffstat (limited to 'doc')
-rw-r--r-- | doc/admin/conf_files/krb5_conf.rst | 18 |
1 files changed, 11 insertions, 7 deletions
diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst index 699628f563..40630277b9 100644 --- a/doc/admin/conf_files/krb5_conf.rst +++ b/doc/admin/conf_files/krb5_conf.rst @@ -467,7 +467,9 @@ The [domain_realm] section provides a translation from a domain name or hostname to a Kerberos realm name. The tag name can be a host name or domain name, where domain names are indicated by a prefix of a period (``.``). The value of the relation is the Kerberos realm name -for that particular host or domain. The Kerberos realm may be +for that particular host or domain. A host name relation implicitly +provides the corresponding domain name relation, unless an explicit domain +name relation is provided. The Kerberos realm may be identified either in the realms_ section or using DNS SRV records. Host names and domain names should be in lower case. For example: @@ -475,14 +477,16 @@ Host names and domain names should be in lower case. For example: [domain_realm] crash.mit.edu = TEST.ATHENA.MIT.EDU - .mit.edu = ATHENA.MIT.EDU + .dev.mit.edu = TEST.ATHENA.MIT.EDU mit.edu = ATHENA.MIT.EDU -maps the host with the exact name ``crash.mit.edu`` into the -TEST.ATHENA.MIT.EDU realm. The period prefix in ``.mit.edu`` denotes -that all systems in the ``mit.edu`` domain belong to -``ATHENA.MIT.EDU`` realm. The third entry maps the host ``mit.edu`` -itself to the ``ATHENA.MIT.EDU`` realm. +maps the host with the name ``crash.mit.edu`` into the +``TEST.ATHENA.MIT.EDU`` realm. The second entry maps all hosts under the +domain ``dev.mit.edu`` into the ``TEST.ATHENA.MIT.EDU`` realm, but not +the host with the name ``dev.mit.edu``. That host is matched +by the third entry, which maps the host ``mit.edu`` and all hosts +under the domain ``mit.edu`` that do not match a preceding rule +into the realm ``ATHENA.MIT.EDU``. If no translation entry applies to a hostname used for a service principal for a service ticket request, the library will try to get a |