The current kdc.conf (/etc/kdc.conf) is ignored. The default location for kdc.conf is /usr/local/var/krb5kdc/kdc.conf This can be set to a different location by setting the env variable KRB5_KDC_PROFILE however this is not done in the init script Reproducible: Always Steps to Reproduce: 1.Change values in /etc/kdc.conf 2./etc/init.d/mit-krb5kdc restart 3. Actual Results: config changes are not realized Expected Results: config changes are realized I classify this as major because this will cause the KDC to not function properly. The solution is to simply set the env variable to point to /etc/kdc.conf. I will attach the solution once the bug is filed.
Created attachment 74656 [details, diff] Diff of fixed /etc/init.d/mit-krb5kdc with original This is the output of: diff mit-krb5kdc mit-krb5kdc.new /etc/init.d/mit-krb5kdc.new is the fixed version.
Obviously threre is generally some confusion about the correct locations of the configuration files. As long as "/etc/krb5.conf" is found, which points by itself to the "kdc.conf" of the current profile (/etc/krb5kdc/kdc.conf) almost everything seems to be OK... beside of duplicate entries in the log files of "kadmind" and "krb5kdc" (... and a long delay when kadmind is launched during system startup that is obviously due to "missing (u)random data"). Following the thread at http://mailman.mit.edu/pipermail/krb5-bugs/2005-December/004140.html that suggests to set the environment variable KRB5_CONFIG fixed this problem (duplicate entries) for me. So I don't think that KRB5_KDC_PROFILE should be set. Instead both "mit-krb5kadmind" and "mit-krb5kdc" in "/etc/init.d" should set KRB5_CONFIG to "/etc/krb5.conf" -- which would be found anyway, but prevents the duplicate log enties -- and /etc/kdc.conf should not be pre-installed at all. ByTheway: I'm using * app-crypt/mit-krb5-1.4.1-r2 +berkdb -doc -ipv6 -krb4 -static -tcltk -tetex * dev-libs/openssl-0.9.7e-r2 -bindist -emacs -test +zlib Cheers, Axel
Addition: In fact a sample "kdc.conf" can or should be installed, but not into "/etc" but into "/etc/krb5kdc/", because the sample "krb5.conf" points to a "kdc.conf" that is stored there and not in "/etc". Personally I would prefer the sample files to be named "/etc/krb5.conf.sample" and "/etc/krb5kdc/kdc.conf.sample", because it is very unlikely that someone really expects the gentoo "mit-krb5" package to serve the EXAMPLE.COM realm "out-of-the-box". Axel
Axel, that's a good point. We should probably do that for heimdal as well.
mit-krb5-1.4.3-r1 has this fixed I'm going to be fast-tracking it to stable, because of the compile fixes as well. heimdal-0.7.2 and 0.7.2-r1 got this fix as well.
*** Bug 167815 has been marked as a duplicate of this bug. ***
Eh... 1/ This has never been properly fixed; this bug as I understand it is not about installing stuff as *.conf.example but about the file being ignored in /etc (see Bug 167815). 2/ drizzt truncated the ChangeLog in a horrible way (the first entry is Jan 10 200 ?!7), plz. fix it. http://sources.gentoo.org/viewcvs.py/gentoo-x86/app-crypt/mit-krb5/ChangeLog?hideattic=0&r1=1.137&r2=1.138
closing, as no more problems were reported with this. if there are issues, please reopen and explain :)
*** Bug 189420 has been marked as a duplicate of this bug. ***
This is not fixed -- /etc/kdc.conf is not read by any of the kdc utilities. /var/lib/krb5kdc/kdc.conf is, but this location is not documented, nor is it ideal. How is it that krb5.conf can "point to" kdc.conf? There is no such option in the example or the man page... Apparently I'm not allowed to reopen the bug.
Yep, you are right, I just checked and the 1.5.3 version still has this "bug". Dunno if we should call it a bug though. In essence, yes, it could become annoying, as many distros and BSDs use some kind of directory in /etc to configure the KDC (usually, /etc/krb5kdc in debian or /etc/KerberosV for netbsd). Provided man pages are not totally clear on that matter too. You just have to know that it resides in /var/lib/kerberos, but some other ebuilds do have this behaviour (like pgsql). IMHO, creating some default kdc.conf and putting it in the right directory would be sufficient to point users to the default config path chosen for Kerberos. Just my 2 cents.
Since the ebuild does not create the /var/lib/krb5kdc directory, but does create /etc/kdc.conf.example, the only logical assumption for a user is that /etc/kdc.conf is always read and they can set up the kdc wherever they like (such as /var/krb5kdc). This causes a lot of frustration, especially when one is used to debian's /etc/krb5kdc/kdc.conf. For me it would be acceptable if kdc.conf.example were simply placed in the correct location (/var/lib/krb5kdc), though I would prefer it to be in /etc. "You just have to know" is not an acceptable strategy for creating happy users ;)
I see your point. As seen in the mit-krb5 ebuild for 1.5.3, the kdc.conf example is installed in /etc (just checked the ebuild), and elog points to the docs found in /usr/share/doc/mit-krb5-1.5.3/html/krb5-admin/kdc.conf.html. However, it states that the kdc.conf file is found in in /usr/local/var/krb5kdc, which is the localstatedir path by default. But ebuild installs the default config file in /etc/kdc.conf.example, and finding the correct location needs some thinking. I am CCing kerberos@gentoo.org, since drizzt seems to be on holidays on his dev status. There are many ways to fix this (from source patching to ebuild); I can provide a patch if necessary, but it is all up to what suits best to the MIT krb maintainers. Seemant?