Hi,
On Tue, Jul 9, 2024 at 2:23 PM Russ Allbery <r...@debian.org> wrote:
>
> Andreas Hasenack <andr...@canonical.com> writes:
>
> > If I include it via this krb5.conf:
> > [libdefaults]
> > includedir /etc/krb5.conf.d
> > default_realm = LOWTECH
>
> > default realm is LXD.
>
> > If I include it like this:
> > [libdefaults]
> > default_realm = LOWTECH
> > includedir /etc/krb5.conf.d
>
> > Then default realm is LOWTECH.
>
> Do both MIT and Heimdal use the same order (first seen wins)? I hope so,
> otherwise this is going to be tricky.
A quick test exactly like above with MIT kerberos 1.20.1 showed the
same result, i.e., first one wins.
Still on this topic, the unit tests added to heimdal also use the
include statement at the top, outside any section.
>
> > I think it's best to have the includedir at the very top, outside any
> > section. Seems to be the least surprising.
>
> I think that's right. That means that fragments will override anything in
> the base /etc/krb5.conf, which feels correct to me. We should add a
> prominent comment to the top of the default /etc/krb5.conf that explains
> this, as well as a NEWS.Debian entry.
>
> Do both MIT and Heimdal sort the fragments alphabetically before including
> them, so that there's some predictable order for which fragments override
> each other? We'll want to document the ordering.
The krb5.conf manpages document it.
MIT:
The krb5.conf file can include other files using either of the
following directives at the beginning of a line:
include FILENAME
includedir DIRNAME
FILENAME or DIRNAME should be an absolute path. The named file
or directory must exist and be readable. Including a directory
includes all files within the directory
whose names consist solely of alphanumeric characters, dashes,
or underscores. Starting in release 1.15, files with names ending in
".conf" are also included, unless
the name begins with ".". Included profile files are
syntactically independent of their parents, so each included file must
begin with a section header. Starting in
release 1.17, files are read in alphanumeric order; in previous
releases, they may be read in any order.
Heimdal's ktb5.conf manpage (with the patches applied):
Files and directories may be included by absolute path.
Including a directory causes all files in the directory to be included
as if each file had been included sep‐
arately, but only files whose names consist of alphanumeric,
hyphen, and underscore are included, though they may also end in
'.conf'.
Heimdal doesn't mention ordering, so it's readdir() ordering, whatever that is:
+ if ((d = opendir(dname)) == NULL)
+ return errno;
+
+ while ((entry = readdir(d)) != NULL) {
(...)
MIT also does opendir/readdir, but at the end calls qsort to order the list:
https://github.com/krb5/krb5/blob/47371f6db423e7dba29afe696282ddfc0b92a81c/src/util/support/dir_filenames.c#L130
