How krb5.conf is parsed (especially in respect to comments)

Jeffrey Altman jaltman at
Mon Mar 26 16:31:25 CEST 2018

On 3/26/2018 5:29 AM, Harald Barth wrote:
> Is there any consenus about using comments in krb5.conf and how it
> should be parsed?


> I have tried to figure out what is OK according to the documentation
> but not found anything about comments in the manual pages. There
> is a widespread use of comments like this:
> [libdefaults]
> 	default_realm = EXAMPLE.COM
> # The following krb5.conf variables are only for MIT Kerberos.
> 	krb4_config = /etc/krb.conf
> 	krb4_realms = /etc/krb.realms
> and usage of "#" at the beginning of the line will make the parser
> ignore that line and it works as a comment.

The above is a comment.

> But if I write:
> [libdefaults]
> 	renew_lifetime = 3d # this comment will break things

This is not a comment.  This is setting the value of "renew_lifetime" to
the string "3d # this comment will break things".   The error that is
generated is the failure of

  "3d # this comment will break things"

to be a valid date string.

It is perfectly valid for a '#' to be present in a value string.  A
value string is all of the contents to the right of the equal sign until
the end of line.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4080 bytes
Desc: S/MIME Cryptographic Signature
URL: <>

More information about the Heimdal-discuss mailing list