From: Theodore Tso Date: Wed, 26 Apr 1995 03:34:38 +0000 (+0000) Subject: krb5.conf.M: New file added to document the new krb5.conf X-Git-Tag: krb5-1.0-beta5~258 X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=0dc47fd20444078c8be403ccce960b169415b613;p=krb5.git krb5.conf.M: New file added to document the new krb5.conf format. krb5.conf: New file added as a demo version of the new krb5.conf format. convert-config-files: New file to convert old-style krb.conf and krb.realms file to use the new krb5.conf format. krb.conf, krb.realms, krb.conf.M, krb.realms.M: Removed. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@5491 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/src/config-files/ChangeLog b/src/config-files/ChangeLog index 14e5268af..2907130c5 100644 --- a/src/config-files/ChangeLog +++ b/src/config-files/ChangeLog @@ -1,3 +1,16 @@ +Tue Apr 25 22:04:54 1995 Theodore Y. Ts'o + + * krb5.conf.M: New file added to document the new krb5.conf + format. + + * krb5.conf: New file added as a demo version of the new krb5.conf + format. + + * convert-config-files: New file to convert old-style krb.conf and + krb.realms file to use the new krb5.conf format. + + * krb.conf, krb.realms, krb.conf.M, krb.realms.M: Removed. + Thu Apr 20 22:20:37 1995 Theodore Y. Ts'o (tytso@dcl) * services.append: Fix name of port for kpropd from krb_prop to diff --git a/src/config-files/convert-config-files b/src/config-files/convert-config-files new file mode 100644 index 000000000..53ddefff1 --- /dev/null +++ b/src/config-files/convert-config-files @@ -0,0 +1,84 @@ +#!/usr/bin/perl +# +# This program converts the old-style krb.conf and krb.realms files into the +# new-format krb5.conf file. It takes two arguments; the first is the krb.conf +# file, and the second is the krb.realms file. The krb5.conf file is output +# to stdout. +# +# Written by Theodore Ts'o, 4/25/95 +# + +if ($#ARGV >= 0) { + $krb_conf_file = $ARGV[0]; +} else { + $krb_conf_file = "/etc/krb.conf"; +} + +if ($#ARGV >= 1) { + $krb_realms_file = $ARGV[1]; +} else { + $krb_realms_file = "/etc/krb.realms"; +} + +open(FILE, "<$krb_conf_file") || die "Couldn't open the krb.conf file\n"; + +$_ = ; +strip; +$default_realm = $_; + +while() { + strip; + ($realm, $host, $admin) = split; + if (!defined($realmpt{$realm})) { + $realmpt{$realm} = 1; + } + $realmkdc{$realm . "##" . $realmpt{$realm}} = $host; + $realmpt{$realm}++; + if ($admin eq "admin") { + $realmadmin{$realm} = $host; + } +} + +close(FILE); + +open(FILE, "<$krb_realms_file") || die "Couldn't open krb.realms file"; + +while () { + strip; + ($domain, $realm) = split; + $domain =~ s/\.$//; + $domain =~ tr/[A-Z]/[a-z]/; + $dom_realm{$domain} = $realm; + if ($domain =~ /^\./) { + $domain =~ s/^\.//; + $def_realm{$realm} = $domain; + } +} + +print "[libdefaults]\n\tdefault_realm = $default_realm\n"; + +print "[realms]\n"; + +foreach $realm (sort(keys(%realmpt))) { + print "\t$realm = {\n"; + for ($i = 1; $i < $realmpt{$realm}; $i++) { + printf("\t\tkdc = %s\n", $realmkdc{$realm . "##" . $i}); + + } + if (defined($realmadmin{$realm})) { + print "\t\tadmin_server = $realmadmin{$realm}\n"; + } + if (defined($def_realm{$realm})) { + print "\t\tdefault_domain = $def_realm{$realm}\n"; + } + print "\t}\n"; +} + +print "\n[domain_realm]\n"; + +foreach $domain (keys(%dom_realm)) { + print "\t$domain = $dom_realm{$domain}\n"; +} + + + diff --git a/src/config-files/krb.conf b/src/config-files/krb.conf deleted file mode 100644 index 834fb523a..000000000 --- a/src/config-files/krb.conf +++ /dev/null @@ -1,14 +0,0 @@ -ATHENA.MIT.EDU -ATHENA.MIT.EDU kerberos.mit.edu admin server -ATHENA.MIT.EDU kerberos-1.mit.edu -ATHENA.MIT.EDU kerberos-2.mit.edu -ATHENA.MIT.EDU kerberos-3.mit.edu -LCS.MIT.EDU kerberos.lcs.mit.edu admin server -IFS.UMICH.EDU kerberos.ifs.umich.edu -CS.WASHINGTON.EDU hawk.cs.washington.edu -CS.WASHINGTON.EDU aspen.cs.washington.edu -CS.BERKELEY.EDU okeeffe.berkeley.edu -MEDIA.MIT.EDU kerberos.media.mit.edu -NEAR.NET kerberos.near.net -CATS.UCSC.EDU mehitabel.ucsc.edu admin server -CATS.UCSC.EDU ucsch.ucsc.edu diff --git a/src/config-files/krb.conf.M b/src/config-files/krb.conf.M deleted file mode 100644 index e0378276c..000000000 --- a/src/config-files/krb.conf.M +++ /dev/null @@ -1,66 +0,0 @@ -.\" $Source$ -.\" $Author$ -.\" $Id$ -.\" Copyright 1989,1991 by the Massachusetts Institute of Technology. -.\" -.\" Export of this software from the United States of America may -.\" require a specific license from the United States Government. -.\" It is the responsibility of any person or organization contemplating -.\" export to obtain such a license before exporting. -.\" -.\" WITHIN THAT CONSTRAINT, permission to use, copy, modify, and -.\" distribute this software and its documentation for any purpose and -.\" without fee is hereby granted, provided that the above copyright -.\" notice appear in all copies and that both that copyright notice and -.\" this permission notice appear in supporting documentation, and that -.\" the name of M.I.T. not be used in advertising or publicity pertaining -.\" to distribution of the software without specific, written prior -.\" permission. M.I.T. makes no representations about the suitability of -.\" this software for any purpose. It is provided "as is" without express -.\" or implied warranty. -.\" -.TH KRB.CONF 5 "Kerberos Version 5.0" "MIT Project Athena" -.SH NAME -krb.conf \- Kerberos configuration file -.SH DESCRIPTION -.I krb.conf -contains configuration information describing the Kerberos realm and the -Kerberos key distribution center (KDC) servers for known realms. -.PP -.I krb.conf -contains two sections. The first section consists of only the first -line in the file. This line identifies the default realm to be used in -a client host's Kerberos activity. -.PP -The second section consists of the remainder of the file. Each -subsequent line maps a realm name to a host running a KDC for that -realm. The first token on the line is the realm name, and the second is -the hostname of a host running a KDC for that realm. The words "admin -server" following the hostname indicate that the host also provides an -administrative database server. For example, this file: -.sp -.nf -.in +1i -FOO.MIT.EDU -ATHENA.MIT.EDU kerberos-1.mit.edu admin server -ATHENA.MIT.EDU kerberos-2.mit.edu -FOO.MIT.EDU bar-kerberos.mit.edu -LCS.MIT.EDU kerberos.lcs.mit.edu admin server -.in -1i -.fi -.sp -configures the local host to run in the FOO.MIT.EDU realm by default, -identifies kerberos-1.mit.edu and kerberos-2.mit.edu as KDC's for the -ATHENA.MIT.EDU realm, bar-kerberos.mit.edu as a KDC for the FOO.MIT.EDU -realm, and kerberos.lcs.mit.edu as a KDC for the LCS.MIT.EDU. -In addition, kerberos.lcs.mit.edu provides an administrative server for -the LCS realm, and kerberos-1.mit.edu provides such a server for the -Athena realm. -.br -.SH FILES -.IP KRB5ROOT/krb.conf 23 -The location of krb.conf is defined at compile time by KRB5ROOT, this -is /krb5 by default. -.br -.SH SEE ALSO -krb.realms(5) diff --git a/src/config-files/krb.realms b/src/config-files/krb.realms deleted file mode 100644 index b8e77f21b..000000000 --- a/src/config-files/krb.realms +++ /dev/null @@ -1,5 +0,0 @@ -.MIT.EDU ATHENA.MIT.EDU -.MIT.EDU. ATHENA.MIT.EDU -MIT.EDU ATHENA.MIT.EDU -.UCSC.EDU CATS.UCSC.EDU -.UCSC.EDU. CATS.UCSC.EDU diff --git a/src/config-files/krb.realms.M b/src/config-files/krb.realms.M deleted file mode 100644 index 308b0a2f1..000000000 --- a/src/config-files/krb.realms.M +++ /dev/null @@ -1,79 +0,0 @@ -.\" $Source$ -.\" $Author$ -.\" $Id$ -.\" Copyright 1989,1991 by the Massachusetts Institute of Technology. -.\" -.\" Export of this software from the United States of America may -.\" require a specific license from the United States Government. -.\" It is the responsibility of any person or organization contemplating -.\" export to obtain such a license before exporting. -.\" -.\" WITHIN THAT CONSTRAINT, permission to use, copy, modify, and -.\" distribute this software and its documentation for any purpose and -.\" without fee is hereby granted, provided that the above copyright -.\" notice appear in all copies and that both that copyright notice and -.\" this permission notice appear in supporting documentation, and that -.\" the name of M.I.T. not be used in advertising or publicity pertaining -.\" to distribution of the software without specific, written prior -.\" permission. M.I.T. makes no representations about the suitability of -.\" this software for any purpose. It is provided "as is" without express -.\" or implied warranty. -.\" -.TH KRB.REALMS 5 "Kerberos Version 5.0" "MIT Project Athena" -.SH NAME -krb.realms \- host to Kerberos realm translation file -.SH DESCRIPTION -.I krb.realms -provides a translation from a hostname to the Kerberos realm name for -the services provided by that host. -.PP -Each line of the translation file is in one of the following forms -(domain_name should be of the form .XXX.YYY, e.g. .LCS.MIT.EDU): -.nf -.in +5n -host_name kerberos_realm -domain_name kerberos_realm -.in -5n -.fi -If a hostname exactly matches the -.I host_name -field in a line of the first -form, the corresponding realm is the realm of the host. -If a hostname does not match any -.I host_name -in the file, but its -domain exactly matches the -.I domain_name -field in a line of the second -form, the corresponding realm is the realm of the host. -.PP -If no translation entry applies, the host's realm is considered to be -the hostname's domain portion converted to upper case. -For example, the following file: -.sp -.nf -.in +1i - .MIT.EDU ATHENA.MIT.EDU - .MIT.EDU. ATHENA.MIT.EDU - MIT.EDU ATHENA.MIT.EDU - DODO.MIT.EDU SMS_TEST.MIT.EDU - .UCSC.EDU CATS.UCSC.EDU - .UCSC.EDU. CATS.UCSC.EDU -.in -1i -.fi -.sp -maps dodo.mit.edu into the SMS_TEST.MIT.EDU realm, all other hosts in -the MIT.EDU domain to the ATHENA.MIT.EDU realm, and all hosts in the -UCSC.EDU domain into the CATS.UCSC.EDU realm. [The trailing dot is to -ensure that anchored domain names are properly matched.] -ucbvax.berkeley.edu would be mapped by the default rules to the -BERKELEY.EDU realm, while sage.lcs.mit.edu would be mapped to the -LCS.MIT.EDU realm. -.br -.SH FILES -.IP KRB5ROOT/krb.realms 23 -The location of krb.realms is defined at compile time by KRB5ROOT, this -is /krb5 by default. -.br -.SH SEE ALSO -krb.conf(5) diff --git a/src/config-files/krb5.conf.M b/src/config-files/krb5.conf.M new file mode 100644 index 000000000..e35063d4c --- /dev/null +++ b/src/config-files/krb5.conf.M @@ -0,0 +1,156 @@ +.\" Copyright 1995 by the Massachusetts Institute of Technology. +.\" +.\" Export of this software from the United States of America may +.\" require a specific license from the United States Government. +.\" It is the responsibility of any person or organization contemplating +.\" export to obtain such a license before exporting. +.\" +.\" WITHIN THAT CONSTRAINT, permission to use, copy, modify, and +.\" distribute this software and its documentation for any purpose and +.\" without fee is hereby granted, provided that the above copyright +.\" notice appear in all copies and that both that copyright notice and +.\" this permission notice appear in supporting documentation, and that +.\" the name of M.I.T. not be used in advertising or publicity pertaining +.\" to distribution of the software without specific, written prior +.\" permission. M.I.T. makes no representations about the suitability of +.\" this software for any purpose. It is provided "as is" without express +.\" or implied warranty. +.\" +.TH KRB5.CONF 5 "Kerberos Version 5.0" "MIT Project Athena" +.SH NAME +krb5.conf \- Kerberos configuration file +.SH DESCRIPTION +.I krb5.conf +contains configuration information needed by the Kerberos V5 library. +This includes information describing the default Kerberos realm, and +the location of the Kerberos key distribution centers for known +realms. +.PP +The +.I krb5.conf +file uses an INI-style format. Sections are delimited by square +braces; within each section, there are relations where tags can be +assigned to have specific values. Tags can also contain a subsection, +which contains further relations or subsections. A tag can be assigned +to multiple values. Here is an example of the INI-style format used by +.IR krb5.conf : + +.sp +.nf +.in +1i +[section1] + tag1 = value_a + tag1 = value_b + tag2 = value_c + +[section 2] + tag3 = { + subtag1 = subtag_value_a + subtag1 = subtag_value_b + subtag2 = subtag_value_c + } + tag4 = { + subtag1 = subtag_value_d + subtag2 = subtag_value_e + } +.in -1i +.fi +.sp + +.PP +The following sections are currently used in the +.I krb5.conf +file: +.IP libdefaults +Contains various default values used by the Kerberos V5 library. + +.IP realms +Contains subsections keyed by Kerberos realm names which describe +where to find the Kerberos servers for a particular realm, and other +realm-specific information. + +.IP domain_realm +Contains relations which map subdomains and domain names to Kerberos +realm names. This is used by programs to determine what realm a host +should be in, given its fully qualified domain name. + +.PP + +Each of these sections will be covered in more details in the +following sections. + +.SH LIBDEFAULTS SECTION +The following relations are defined in the [libdefaults] section: + +.IP default_domain +This relation identifies the default realm to be used in a client +host's Kerberos activity. + +.SH REALMS SECTION + +Each tag in the [realms] section of the file names as Kerberos realm, +containing a subsection where the relations in that subsection define the +properties of that particular realm. For example: +.sp +.nf +.in +1i +[realms] + ATHENA.MIT.EDU = { + kdc = KERBEROS.MIT.EDU + kdc = KERBEROS-1.MIT.EDU:750 + kdc = KERBEROS-2.MIT.EDU:88 + admin_server = KERBEROS.MIT.EDU + default_domain = MIT.EDU + } +.in -1i +.fi +.sp +The meaings of each of the relations in the subsection are defined here: + +.IP kdc +The value of this relation is the name of a host running a KDC for that realm. +An optional port number (preceeded by a colon) may be appended to the +hostname. + +.IP admin_server +This relation identifies the host where the administration server is running. +Typically this is the Master Kerberos server. + +.IP default_domain +This relation identifies the default domain for which hosts in this +realm are assumed to be in. This is needed for translating V4 principal names +(which do not contain a domain name) to V5 principal names (which do). + +.SH DOMAIN_REALM SECTION + +The [domain_realm] section provides a translation from a hostname to +the Kerberos realm name for the services provided by that host. +.PP +The tag name can be a hostname, or a domain name, where domain names +are indicated by a prefix of a period ('.') character. The value of +the relation is the Kerberos realm name for that particular host or domain. +Host names and domain names should be in lower case. +.PP +If no translation entry applies, the host's realm is considered to be +the hostname's domain portion converted to upper case. +For example, the following [domain_realm] section: + +.sp +.nf +.in +1i +[domain_realm] + .mit.edu = ATHENA.MIT.EDU + mit.edu = ATHENA.MIT.EDU + dodo.mit.edu = SMS_TEST.MIT.EDU + .ucsc.edu = CATS.UCSC.EDU +.in -1i +.fi +maps dodo.mit.edu into the SMS_TEST.MIT.EDU realm, all other hosts in +the MIT.EDU domain to the ATHENA.MIT.EDU realm, and all hosts in the +UCSC.EDU domain into the CATS.UCSC.EDU realm. ucbvax.berkeley.edu +would be mapped by the default rules to the BERKELEY.EDU realm, while +sage.lcs.mit.edu would be mapped to the LCS.MIT.EDU realm. + +.SH FILES +/etc/krb5.conf +