Is there any consenus about using comments in krb5.conf and how it
should be parsed?
I have tried to figure out what is OK according to the documentation
but not found anything about comments in the manual pages. There
is a widespread use of comments like this:
[libdefaults]
default_realm = EXAMPLE.COM
# The following krb5.conf variables are only for MIT Kerberos.
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
and usage of "#" at the beginning of the line will make the parser
ignore that line and it works as a comment.
But if I write:
[libdefaults]
renew_lifetime = 3d # this comment will break things
this will make that this line will not parse and ignored.
Probably not what a normal user expects, especially as
kinit does not even warn about it.
Ok, a "power user" may discover verify_krb5_conf and run that command:
$ verify_krb5_conf
(...)
verify_krb5_conf: /libdefaults/renew_lifetime: failed to parse "3d # this
comment will break things" as time
(...)
it tells me that problem. But then on would expect that
verify_krb5_conf would have the same logic as kinit when telling me
what is good or bad but i has not. Looks at these examples:
Entry in krb5.conf
renew_lifetime = 3d
verify_krb5_conf
OK
kinit
consistent with above (does parse and get renewable for 3 days)
Entry in krb5.conf
renew_lifetime = 3 0
verify_krb5_conf
verify_krb5_conf: /libdefaults/renew_lifetime: failed to parse "3 0" as
time
kinit
consistent with above (does not parse and tickets are not renewable)
Entry in krb5.conf
renew_lifetime = 3 d
verify_krb5_conf
OK (no complaint)
kinit
not consistent with above (does not parse and tickets are not renewable)
Entry in krb5.conf
renew_lifetime = 3 days
verify_krb5_conf
OK (no complaint)
kinit
not consistent with above (does not parse and tickets are not renewable)
So there are several things that should be fixed to get the "least
astonoishment" on part of the user:
* Usage of comments in the file format should be documented
* Usage of # to comment rest of line would probably appreciated by most users
* kinit should warn if parts of relevant values of its options can not
be parsed properly
* The parser of kinit and verify_krb5_conf should agree if a time
string can be parsed or not, especially if whitespace should end
parsing of a time or not. Even the manual page does disagee with
itself on that matter:
STRINGs consists of one or more non-whitespace characters.
and 5 rows below:
time
values can be a list of year, month, day, hour, min, second.
Example: 1 month 2 days 30 min.
Test were made with heimdal version 7.4.0
Of course it would be nice if this would not differ too much among the
kerberos impementations.
Harald.
