Bug 46530 – Broken krb5.conf: kdc.database missing

Bug 46530 - Broken krb5.conf: kdc.database missing


Summary:	Broken krb5.conf: kdc.database missing

Status:	NEW

Product:	UCS
Classification:	Unclassified
Component:	Kerberos
Version:	UCS 5.0
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	---
Assigned To:	UCS maintainers
QA Contact:	UCS maintainers

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2018-03-07 14:45 CET by Philipp Hahn
Modified:	2021-05-03 21:35 CEST (History)
CC List:	2 users (show)

See Also:
What kind of report is it?:	Bug Report
What type of bug is this?:	3: Simply Wrong: The implementation doesn't match the docu
Who will be affected by this bug?:	3: Will affect average number of installed domains
How will those affected feel about the bug?:	2: A Pain – users won’t like this once they notice it
User Pain:	0.103
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Flags:	hahn: Patch_Available+

Attachments
Fix Kerberos UCRV and more (13.71 KB, patch) 2018-03-07 14:45 CET, Philipp Hahn	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Philipp Hahn

2018-03-07 14:45:03 CET

Created attachment 9442 [details]
Fix Kerberos UCRV and more

Since SVN commit ucs@12340 the 'database' setting is not applied, as it is no longer in the [kdc] section, but the [kadmin] section:

# verify_krb5_conf --warn-mit-syntax
...
verify_krb5_conf: /kadmin/database: unknown entry

<https://git.knut.univention.de/univention/ucs/commit/fa3da9f1e2a0771aa1bc0beb0f535dd010b71fc0#7672eb38da5e980d3451d807a7805dbefba2e0e8_56_56>

Comment 1 Arvid Requate

2018-03-07 21:00:17 CET

Ok, mabe then we should fix the non-functional "debug" setting (supposed to be activated by UCR kerberos/defaults/debug) by something like this:

[logging]
        krb5 = 0-100/SYSLOG:

This makes client operations like "kinit" getting logged to auth.log. See https://www.h5l.org/manual/heimdal-1-5-branch/info/heimdal/Debugging-Kerberos-problems.html . Maybe it would be even better to use a different UCR variable though and allow configuration of the values, like:

ucr set kerberos/logging/krb5="0-100/SYSLOG:"


Btw: No clue how this relates to the [kdc] logging setting in /etc/heimdal-kdc/kdc.conf (and if there is yet another file considered by the Samba builtin Heimdal KDC). My impression is that writing "kdc" into the [logging] section of krb5.conf is not considered by any code (well, I only tested with Samba). The public documentation is not very reliable about his and we should check the source code.