+Tue Apr 25 22:04:54 1995 Theodore Y. Ts'o <tytso@dcl>
+
+ * krb5.conf.M: New file added to document the new krb5.conf
+ format.
+
+ * krb5.conf: New file added as a demo version of the new krb5.conf
+ format.
+
+ * convert-config-files: New file to convert old-style krb.conf and
+ krb.realms file to use the new krb5.conf format.
+
+ * krb.conf, krb.realms, krb.conf.M, krb.realms.M: Removed.
+
Thu Apr 20 22:20:37 1995 Theodore Y. Ts'o (tytso@dcl)
* services.append: Fix name of port for kpropd from krb_prop to
--- /dev/null
+#!/usr/bin/perl
+#
+# This program converts the old-style krb.conf and krb.realms files into the
+# new-format krb5.conf file. It takes two arguments; the first is the krb.conf
+# file, and the second is the krb.realms file. The krb5.conf file is output
+# to stdout.
+#
+# Written by Theodore Ts'o, 4/25/95
+#
+
+if ($#ARGV >= 0) {
+ $krb_conf_file = $ARGV[0];
+} else {
+ $krb_conf_file = "/etc/krb.conf";
+}
+
+if ($#ARGV >= 1) {
+ $krb_realms_file = $ARGV[1];
+} else {
+ $krb_realms_file = "/etc/krb.realms";
+}
+
+open(FILE, "<$krb_conf_file") || die "Couldn't open the krb.conf file\n";
+
+$_ = <FILE>;
+strip;
+$default_realm = $_;
+
+while(<FILE>) {
+ strip;
+ ($realm, $host, $admin) = split;
+ if (!defined($realmpt{$realm})) {
+ $realmpt{$realm} = 1;
+ }
+ $realmkdc{$realm . "##" . $realmpt{$realm}} = $host;
+ $realmpt{$realm}++;
+ if ($admin eq "admin") {
+ $realmadmin{$realm} = $host;
+ }
+}
+
+close(FILE);
+
+open(FILE, "<$krb_realms_file") || die "Couldn't open krb.realms file";
+
+while (<FILE>) {
+ strip;
+ ($domain, $realm) = split;
+ $domain =~ s/\.$//;
+ $domain =~ tr/[A-Z]/[a-z]/;
+ $dom_realm{$domain} = $realm;
+ if ($domain =~ /^\./) {
+ $domain =~ s/^\.//;
+ $def_realm{$realm} = $domain;
+ }
+}
+
+print "[libdefaults]\n\tdefault_realm = $default_realm\n";
+
+print "[realms]\n";
+
+foreach $realm (sort(keys(%realmpt))) {
+ print "\t$realm = {\n";
+ for ($i = 1; $i < $realmpt{$realm}; $i++) {
+ printf("\t\tkdc = %s\n", $realmkdc{$realm . "##" . $i});
+
+ }
+ if (defined($realmadmin{$realm})) {
+ print "\t\tadmin_server = $realmadmin{$realm}\n";
+ }
+ if (defined($def_realm{$realm})) {
+ print "\t\tdefault_domain = $def_realm{$realm}\n";
+ }
+ print "\t}\n";
+}
+
+print "\n[domain_realm]\n";
+
+foreach $domain (keys(%dom_realm)) {
+ print "\t$domain = $dom_realm{$domain}\n";
+}
+
+
+
+++ /dev/null
-ATHENA.MIT.EDU
-ATHENA.MIT.EDU kerberos.mit.edu admin server
-ATHENA.MIT.EDU kerberos-1.mit.edu
-ATHENA.MIT.EDU kerberos-2.mit.edu
-ATHENA.MIT.EDU kerberos-3.mit.edu
-LCS.MIT.EDU kerberos.lcs.mit.edu admin server
-IFS.UMICH.EDU kerberos.ifs.umich.edu
-CS.WASHINGTON.EDU hawk.cs.washington.edu
-CS.WASHINGTON.EDU aspen.cs.washington.edu
-CS.BERKELEY.EDU okeeffe.berkeley.edu
-MEDIA.MIT.EDU kerberos.media.mit.edu
-NEAR.NET kerberos.near.net
-CATS.UCSC.EDU mehitabel.ucsc.edu admin server
-CATS.UCSC.EDU ucsch.ucsc.edu
+++ /dev/null
-.\" $Source$
-.\" $Author$
-.\" $Id$
-.\" Copyright 1989,1991 by the Massachusetts Institute of Technology.
-.\"
-.\" Export of this software from the United States of America may
-.\" require a specific license from the United States Government.
-.\" It is the responsibility of any person or organization contemplating
-.\" export to obtain such a license before exporting.
-.\"
-.\" WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
-.\" distribute this software and its documentation for any purpose and
-.\" without fee is hereby granted, provided that the above copyright
-.\" notice appear in all copies and that both that copyright notice and
-.\" this permission notice appear in supporting documentation, and that
-.\" the name of M.I.T. not be used in advertising or publicity pertaining
-.\" to distribution of the software without specific, written prior
-.\" permission. M.I.T. makes no representations about the suitability of
-.\" this software for any purpose. It is provided "as is" without express
-.\" or implied warranty.
-.\"
-.TH KRB.CONF 5 "Kerberos Version 5.0" "MIT Project Athena"
-.SH NAME
-krb.conf \- Kerberos configuration file
-.SH DESCRIPTION
-.I krb.conf
-contains configuration information describing the Kerberos realm and the
-Kerberos key distribution center (KDC) servers for known realms.
-.PP
-.I krb.conf
-contains two sections. The first section consists of only the first
-line in the file. This line identifies the default realm to be used in
-a client host's Kerberos activity.
-.PP
-The second section consists of the remainder of the file. Each
-subsequent line maps a realm name to a host running a KDC for that
-realm. The first token on the line is the realm name, and the second is
-the hostname of a host running a KDC for that realm. The words "admin
-server" following the hostname indicate that the host also provides an
-administrative database server. For example, this file:
-.sp
-.nf
-.in +1i
-FOO.MIT.EDU
-ATHENA.MIT.EDU kerberos-1.mit.edu admin server
-ATHENA.MIT.EDU kerberos-2.mit.edu
-FOO.MIT.EDU bar-kerberos.mit.edu
-LCS.MIT.EDU kerberos.lcs.mit.edu admin server
-.in -1i
-.fi
-.sp
-configures the local host to run in the FOO.MIT.EDU realm by default,
-identifies kerberos-1.mit.edu and kerberos-2.mit.edu as KDC's for the
-ATHENA.MIT.EDU realm, bar-kerberos.mit.edu as a KDC for the FOO.MIT.EDU
-realm, and kerberos.lcs.mit.edu as a KDC for the LCS.MIT.EDU.
-In addition, kerberos.lcs.mit.edu provides an administrative server for
-the LCS realm, and kerberos-1.mit.edu provides such a server for the
-Athena realm.
-.br
-.SH FILES
-.IP KRB5ROOT/krb.conf 23
-The location of krb.conf is defined at compile time by KRB5ROOT, this
-is /krb5 by default.
-.br
-.SH SEE ALSO
-krb.realms(5)
+++ /dev/null
-.MIT.EDU ATHENA.MIT.EDU
-.MIT.EDU. ATHENA.MIT.EDU
-MIT.EDU ATHENA.MIT.EDU
-.UCSC.EDU CATS.UCSC.EDU
-.UCSC.EDU. CATS.UCSC.EDU
+++ /dev/null
-.\" $Source$
-.\" $Author$
-.\" $Id$
-.\" Copyright 1989,1991 by the Massachusetts Institute of Technology.
-.\"
-.\" Export of this software from the United States of America may
-.\" require a specific license from the United States Government.
-.\" It is the responsibility of any person or organization contemplating
-.\" export to obtain such a license before exporting.
-.\"
-.\" WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
-.\" distribute this software and its documentation for any purpose and
-.\" without fee is hereby granted, provided that the above copyright
-.\" notice appear in all copies and that both that copyright notice and
-.\" this permission notice appear in supporting documentation, and that
-.\" the name of M.I.T. not be used in advertising or publicity pertaining
-.\" to distribution of the software without specific, written prior
-.\" permission. M.I.T. makes no representations about the suitability of
-.\" this software for any purpose. It is provided "as is" without express
-.\" or implied warranty.
-.\"
-.TH KRB.REALMS 5 "Kerberos Version 5.0" "MIT Project Athena"
-.SH NAME
-krb.realms \- host to Kerberos realm translation file
-.SH DESCRIPTION
-.I krb.realms
-provides a translation from a hostname to the Kerberos realm name for
-the services provided by that host.
-.PP
-Each line of the translation file is in one of the following forms
-(domain_name should be of the form .XXX.YYY, e.g. .LCS.MIT.EDU):
-.nf
-.in +5n
-host_name kerberos_realm
-domain_name kerberos_realm
-.in -5n
-.fi
-If a hostname exactly matches the
-.I host_name
-field in a line of the first
-form, the corresponding realm is the realm of the host.
-If a hostname does not match any
-.I host_name
-in the file, but its
-domain exactly matches the
-.I domain_name
-field in a line of the second
-form, the corresponding realm is the realm of the host.
-.PP
-If no translation entry applies, the host's realm is considered to be
-the hostname's domain portion converted to upper case.
-For example, the following file:
-.sp
-.nf
-.in +1i
- .MIT.EDU ATHENA.MIT.EDU
- .MIT.EDU. ATHENA.MIT.EDU
- MIT.EDU ATHENA.MIT.EDU
- DODO.MIT.EDU SMS_TEST.MIT.EDU
- .UCSC.EDU CATS.UCSC.EDU
- .UCSC.EDU. CATS.UCSC.EDU
-.in -1i
-.fi
-.sp
-maps dodo.mit.edu into the SMS_TEST.MIT.EDU realm, all other hosts in
-the MIT.EDU domain to the ATHENA.MIT.EDU realm, and all hosts in the
-UCSC.EDU domain into the CATS.UCSC.EDU realm. [The trailing dot is to
-ensure that anchored domain names are properly matched.]
-ucbvax.berkeley.edu would be mapped by the default rules to the
-BERKELEY.EDU realm, while sage.lcs.mit.edu would be mapped to the
-LCS.MIT.EDU realm.
-.br
-.SH FILES
-.IP KRB5ROOT/krb.realms 23
-The location of krb.realms is defined at compile time by KRB5ROOT, this
-is /krb5 by default.
-.br
-.SH SEE ALSO
-krb.conf(5)
--- /dev/null
+.\" Copyright 1995 by the Massachusetts Institute of Technology.
+.\"
+.\" Export of this software from the United States of America may
+.\" require a specific license from the United States Government.
+.\" It is the responsibility of any person or organization contemplating
+.\" export to obtain such a license before exporting.
+.\"
+.\" WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+.\" distribute this software and its documentation for any purpose and
+.\" without fee is hereby granted, provided that the above copyright
+.\" notice appear in all copies and that both that copyright notice and
+.\" this permission notice appear in supporting documentation, and that
+.\" the name of M.I.T. not be used in advertising or publicity pertaining
+.\" to distribution of the software without specific, written prior
+.\" permission. M.I.T. makes no representations about the suitability of
+.\" this software for any purpose. It is provided "as is" without express
+.\" or implied warranty.
+.\"
+.TH KRB5.CONF 5 "Kerberos Version 5.0" "MIT Project Athena"
+.SH NAME
+krb5.conf \- Kerberos configuration file
+.SH DESCRIPTION
+.I krb5.conf
+contains configuration information needed by the Kerberos V5 library.
+This includes information describing the default Kerberos realm, and
+the location of the Kerberos key distribution centers for known
+realms.
+.PP
+The
+.I krb5.conf
+file uses an INI-style format. Sections are delimited by square
+braces; within each section, there are relations where tags can be
+assigned to have specific values. Tags can also contain a subsection,
+which contains further relations or subsections. A tag can be assigned
+to multiple values. Here is an example of the INI-style format used by
+.IR krb5.conf :
+
+.sp
+.nf
+.in +1i
+[section1]
+ tag1 = value_a
+ tag1 = value_b
+ tag2 = value_c
+
+[section 2]
+ tag3 = {
+ subtag1 = subtag_value_a
+ subtag1 = subtag_value_b
+ subtag2 = subtag_value_c
+ }
+ tag4 = {
+ subtag1 = subtag_value_d
+ subtag2 = subtag_value_e
+ }
+.in -1i
+.fi
+.sp
+
+.PP
+The following sections are currently used in the
+.I krb5.conf
+file:
+.IP libdefaults
+Contains various default values used by the Kerberos V5 library.
+
+.IP realms
+Contains subsections keyed by Kerberos realm names which describe
+where to find the Kerberos servers for a particular realm, and other
+realm-specific information.
+
+.IP domain_realm
+Contains relations which map subdomains and domain names to Kerberos
+realm names. This is used by programs to determine what realm a host
+should be in, given its fully qualified domain name.
+
+.PP
+
+Each of these sections will be covered in more details in the
+following sections.
+
+.SH LIBDEFAULTS SECTION
+The following relations are defined in the [libdefaults] section:
+
+.IP default_domain
+This relation identifies the default realm to be used in a client
+host's Kerberos activity.
+
+.SH REALMS SECTION
+
+Each tag in the [realms] section of the file names as Kerberos realm,
+containing a subsection where the relations in that subsection define the
+properties of that particular realm. For example:
+.sp
+.nf
+.in +1i
+[realms]
+ ATHENA.MIT.EDU = {
+ kdc = KERBEROS.MIT.EDU
+ kdc = KERBEROS-1.MIT.EDU:750
+ kdc = KERBEROS-2.MIT.EDU:88
+ admin_server = KERBEROS.MIT.EDU
+ default_domain = MIT.EDU
+ }
+.in -1i
+.fi
+.sp
+The meaings of each of the relations in the subsection are defined here:
+
+.IP kdc
+The value of this relation is the name of a host running a KDC for that realm.
+An optional port number (preceeded by a colon) may be appended to the
+hostname.
+
+.IP admin_server
+This relation identifies the host where the administration server is running.
+Typically this is the Master Kerberos server.
+
+.IP default_domain
+This relation identifies the default domain for which hosts in this
+realm are assumed to be in. This is needed for translating V4 principal names
+(which do not contain a domain name) to V5 principal names (which do).
+
+.SH DOMAIN_REALM SECTION
+
+The [domain_realm] section provides a translation from a hostname to
+the Kerberos realm name for the services provided by that host.
+.PP
+The tag name can be a hostname, or a domain name, where domain names
+are indicated by a prefix of a period ('.') character. The value of
+the relation is the Kerberos realm name for that particular host or domain.
+Host names and domain names should be in lower case.
+.PP
+If no translation entry applies, the host's realm is considered to be
+the hostname's domain portion converted to upper case.
+For example, the following [domain_realm] section:
+
+.sp
+.nf
+.in +1i
+[domain_realm]
+ .mit.edu = ATHENA.MIT.EDU
+ mit.edu = ATHENA.MIT.EDU
+ dodo.mit.edu = SMS_TEST.MIT.EDU
+ .ucsc.edu = CATS.UCSC.EDU
+.in -1i
+.fi
+maps dodo.mit.edu into the SMS_TEST.MIT.EDU realm, all other hosts in
+the MIT.EDU domain to the ATHENA.MIT.EDU realm, and all hosts in the
+UCSC.EDU domain into the CATS.UCSC.EDU realm. ucbvax.berkeley.edu
+would be mapped by the default rules to the BERKELEY.EDU realm, while
+sage.lcs.mit.edu would be mapped to the LCS.MIT.EDU realm.
+
+.SH FILES
+/etc/krb5.conf
+