Is there any consenus about using comments in krb5.conf and how it should be parsed?
I have tried to figure out what is OK according to the documentation but not found anything about comments in the manual pages. There is a widespread use of comments like this: [libdefaults] default_realm = EXAMPLE.COM # The following krb5.conf variables are only for MIT Kerberos. krb4_config = /etc/krb.conf krb4_realms = /etc/krb.realms and usage of "#" at the beginning of the line will make the parser ignore that line and it works as a comment. But if I write: [libdefaults] renew_lifetime = 3d # this comment will break things this will make that this line will not parse and ignored. Probably not what a normal user expects, especially as kinit does not even warn about it. Ok, a "power user" may discover verify_krb5_conf and run that command: $ verify_krb5_conf (...) verify_krb5_conf: /libdefaults/renew_lifetime: failed to parse "3d # this comment will break things" as time (...) it tells me that problem. But then on would expect that verify_krb5_conf would have the same logic as kinit when telling me what is good or bad but i has not. Looks at these examples: Entry in krb5.conf renew_lifetime = 3d verify_krb5_conf OK kinit consistent with above (does parse and get renewable for 3 days) Entry in krb5.conf renew_lifetime = 3 0 verify_krb5_conf verify_krb5_conf: /libdefaults/renew_lifetime: failed to parse "3 0" as time kinit consistent with above (does not parse and tickets are not renewable) Entry in krb5.conf renew_lifetime = 3 d verify_krb5_conf OK (no complaint) kinit not consistent with above (does not parse and tickets are not renewable) Entry in krb5.conf renew_lifetime = 3 days verify_krb5_conf OK (no complaint) kinit not consistent with above (does not parse and tickets are not renewable) So there are several things that should be fixed to get the "least astonoishment" on part of the user: * Usage of comments in the file format should be documented * Usage of # to comment rest of line would probably appreciated by most users * kinit should warn if parts of relevant values of its options can not be parsed properly * The parser of kinit and verify_krb5_conf should agree if a time string can be parsed or not, especially if whitespace should end parsing of a time or not. Even the manual page does disagee with itself on that matter: STRINGs consists of one or more non-whitespace characters. and 5 rows below: time values can be a list of year, month, day, hour, min, second. Example: 1 month 2 days 30 min. Test were made with heimdal version 7.4.0 Of course it would be nice if this would not differ too much among the kerberos impementations. Harald.