Problems with kprop and incremental propagation - works but bugs found
Matej Zagiba
matej.zagiba at fmph.uniba.sk
Thu Nov 18 04:21:01 EST 2010
Hi Jeremy,
if You configure/make/install kerberos with --prefix=/krb5, then default place for kdc configuration and database file is
/krb5/var/krb5kdc/ - so Your file paths are all default ones. Hence You don't need any workarounds.
On debian however, the policy is to place configuration files under /etc and database files under /var/lib/krb5kdc.
This requires explicit configuration in kdc.conf file (or krb5.conf, but that is non-intuitive) which is ignored
by kpropd when calling ulog_replay. In manual page only kdc.conf is mentioned as configuration file and -F option to
set principal database is documented, but none of it works with ulog_reply().
On 11/17/2010 01:24 AM, Jeremy Hunt wrote:
> Hi Greg,
>
> I don't know that your conclusions are necessarily true. I would say
> the only bug is that the location of the principal database (and
> therefore the location of kdc.conf) is not settable in krb5.conf. My
> point is that if you can override the kdc location in krb5.conf then
> you can put the correct subsection in the realms section of the
> kdc.conf and everything will work. Of course, if Matej had been able
> to set the location of his principal database in the krb5.conf file,
> then everything would work as he defined it from that file without
> reference to a kdc.conf file.
>
> I administer a more static domain than Matej, but I suspect that is
> irrelevant. I built my version of kerberos to use /krb5 as the
> containing directory for everything and configured incremental
> propagation entirely in kdc.conf. I needed none of the workarounds
> Matej did, my incremental propagation works seamlessly.
>
> To put this in perspective my realm is used correctly and so is
> Matej's now he has correctly defined his domain in the domain_realm
> section of krb5.conf. The location of my principal database is
> /krb5/var/krb5kdc, this is not a typical location.
>
> I put the directives as defined in the documentation in the
> subsection for my domain in the realms section of the kdc.conf file,
> and put the kdc.conf file in the same directory as the principal
> database. I built my kerberos by configuring with " --prefix=/krb5
> --exec-prefix=/krb5" which set @LOCALSTATEDIR+/krb5/var in the
> Makefile, this defines the location of my principal database as
> /krb5/var/krb5kdc.
>
> For what it is worth here is a sanitised version of my configuration,
> which works as advertised with no principal pathnames defined:
>
> /krb5/etc/krb5.conf
> --------------------------
> [libdefaults]
> # irrelevant, except possibly this
> default_realm = MYREALM.COM
>
> [appdefaults]
> # irrelevant
>
> [realms]
> # only relevant in it defines where propagation is from and to
> MYREALM.COM = {
> kdc = kdc1
> kdc = kdc2
> admin_server = kdc1
> # I am not advertising my password port here
> kpasswd_server = kdc1:myPasswdPort
> }
>
> [domain_realm]
> # The lines for my kdc systems probably set the realm correctly. this is satisfactory if you can do it this way.
> # Matej's setting is more general, more elegant and entirely satisfactory,
> # remember his settings were initially wrong and this was one of the causes of his problems
> kdc1 = MYREALM.COM
> kdc2 = MYREALM.COM
> sys1 = MYREALM.COM
> sys2 = MYREALM.COM
> sys3 = MYREALM.COM
> # etcetera
>
> [logging]
> # irrelevant
>
> /krb5/var/krb5kdc/kdc.conf
> -------------------------------------
> [kdcdefaults]
> # irrelevant
>
> [realms]
> MYREALM.COM= {
> # Left out irrelevant stuff in this email like principal flags and enctypes, ports, files used, etcetera
> # From my build, the location of kdc.conf is known
> # The realm is referred to in this subsection.
> # Incremental propagation is defined in the simplest way
> # the principal database is found and the correct realm is used
> iprop_enable = true
> iprop_port = 2107
> }
>
> [logging]
> # irrelevant
>
> On 16/11/2010 11:14 AM, Greg Hudson wrote:
>> [safeTgram (safetgram-in) receive status: NOT encrypted, NOT signed.]
>>
>>
>> I can confirm two bugs that you have encountered and worked around:
>>
>> 1. kprop uses krb5_sname_to_principal() to determine its client
>> principal, and does not understand the referral realm. So it does not
>> work without a -r parameter unless the profile's domain_realm section
>> can map the local hostname. You worked around this by correcting your
>> existing domain_realm section in your profile.
>> A reasonable, if not perfect, fix here is to do what kpropd does in a
>> similiar piece of code: substitute the default realm for the referral
>> realm when using the result of krb5_sname_to_principal() as a client
>> principal.
>>
>> 2. kpropd, when processing incremental updates, modifies the KDB using
>> ulog_replay(), but does not initialize its context to use the KDC
>> profile, so it uses only settings from krb5.conf to find the KDB. You
>> worked around this with symlinks. An alternative workaround would be to
>> put the KDB configuration into krb5.conf instead of kdc.conf. (In the
>> past, it used to be required to put KDB configuration into krb5.conf.
>> That odd requirement was relaxed somewhere around krb5 1.5 for most
>> programs which run on the KDC, but a few have escaped the net, including
>> kpropd.)
>>
>> I will open issues for both bugs and try to get them fixed for 1.9.
>> Thanks for your investigative work.
>>
>>
>> ________________________________________________
>> Kerberos mailing list Kerberos at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>
>
> --
>
> "The whole modern world has divided itself into Conservatives and
> Progressives. The business of Progressives is to go on making
> mistakes. The business of the Conservatives is to prevent the
> mistakes from being corrected." -- G. K. Chesterton
>
More information about the Kerberos
mailing list