Univention Bugzilla – Bug 46530
Broken krb5.conf: kdc.database missing
Last modified: 2021-05-03 21:35:32 CEST
Created attachment 9442 [details] Fix Kerberos UCRV and more Since SVN commit ucs@12340 the 'database' setting is not applied, as it is no longer in the [kdc] section, but the [kadmin] section: # verify_krb5_conf --warn-mit-syntax ... verify_krb5_conf: /kadmin/database: unknown entry <https://git.knut.univention.de/univention/ucs/commit/fa3da9f1e2a0771aa1bc0beb0f535dd010b71fc0#7672eb38da5e980d3451d807a7805dbefba2e0e8_56_56>
Ok, mabe then we should fix the non-functional "debug" setting (supposed to be activated by UCR kerberos/defaults/debug) by something like this: [logging] krb5 = 0-100/SYSLOG: This makes client operations like "kinit" getting logged to auth.log. See https://www.h5l.org/manual/heimdal-1-5-branch/info/heimdal/Debugging-Kerberos-problems.html . Maybe it would be even better to use a different UCR variable though and allow configuration of the values, like: ucr set kerberos/logging/krb5="0-100/SYSLOG:" Btw: No clue how this relates to the [kdc] logging setting in /etc/heimdal-kdc/kdc.conf (and if there is yet another file considered by the Samba builtin Heimdal KDC). My impression is that writing "kdc" into the [logging] section of krb5.conf is not considered by any code (well, I only tested with Samba). The public documentation is not very reliable about his and we should check the source code.