Project

General

Profile

Bug #62781

Improve krb5.conf generation and fix some bugs for edge cases

Added by Hannes Stoll 2 months ago. Updated 8 days ago.

Status:
Done
Priority:
No priority
Assignee:
Andrew Walker
Category:
Services
Seen in:
Severity:
New
Reason for Closing:
Reason for Blocked:
Needs QA:
No
Needs Doc:
No
Needs Merging:
No
Needs Automation:
No
Support Suite Ticket:
n/a
Hardware Configuration:
ChangeLog Required:
No

Description

When "enabling" ldap (it actually fails), some script mutilates the kerberos config:

#                                                                                                                                   
# krb5.conf(5) - configuration file for Kerberos 5                                                                                  
# $FreeBSD$                                                                                                                         
#                                                                                                                                   

[app_defaults]                                                                                                                      
            pam = {                                                                                                                 
                   forwardable = true                                                                                               
                   ticket_lifetime = 86400                                                                                          
                   renew_lifetime = 86400                                                                                           
            }                                                                                                                       

[lib_defaults]                                                                                                                      
            dns_lookup_realm = true                                                                                                 
            dns_lookup_kdc = true                                                                                                   
            ticket_lifetime = 24h                                                                                                   
            clockskew = 300                                                                                                         
            forwadable = yes                                                                                                        
            default_realm = {'id': 1, 'krb_realm': 'EXAMPLE.DE', 'krb_kdc': '', 'krb_admin_server': '', 'krb_kpasswd_server': ''}     

[domain_realm]                                                                                                                      
            example.de = EXAMPLE.DE                                                                                                     
            .example.de = EXAMPLE.DE                                                                                                    
            EXAMPLE.DE = EXAMPLE.DE                                                                                                     
            .EXAMPLE.DE = EXAMPLE.DE                                                                                                    

[realms]                                                                                                                            
            EXAMPLE.DE = {                                                                                                            
                   default_domain = EXAMPLE.DE                                                                                        
            }                                                                                                                       

[logging]                                                                                                                           
            default = SYSLOG:INFO:LOCAL7         

I am pretty sure, "forwadable" in lib_defaults is neither an English word nor a valid configuration option.
While we're at it: lib_defaults is not, either. That should be libdefaults, afaik. app_defaults is the same problem.

But what's really stopping everything from working is the default_realm: that should not be the whole python dict or whatever it is.
Similar typos also exist when updating the kerberos settings using the GUI.


Related issues

Copied to FreeNAS - Bug #63108: Improve krb5.conf generation and fix some bugs for edge casesDone

History

#1 Updated by Dru Lavigne 2 months ago

  • Category changed from GUI (new) to Services
  • Private changed from No to Yes
  • Reason for Blocked set to Need additional information from Author

Hannes: please attach a debug (System -> Advanced -> Save debug) to this ticket.

#2 Updated by Hannes Stoll 2 months ago

  • File debug-freenas-20181208144529.tgz added

#3 Updated by Hannes Stoll 2 months ago

- the typos are obviously all present in the krb.conf template in src\middlewared\middlewared\etc_files\krb5.conf

#4 Updated by Hannes Stoll 2 months ago

- I suppose, this is also wrong:

elif db['ldap']['ldap_enable'] and db['ldap']['ldap_kerberos_realm']:
            krb_default_realm = db['ldap']['ldap_kerberos_realm']

Shouldn't it be:

elif db['ldap']['ldap_enable'] and db['ldap']['ldap_kerberos_realm']:
            krb_default_realm = db['ldap']['ldap_kerberos_realm']['krb_realm']

?

#5 Updated by Andrew Walker 2 months ago

  • Status changed from Unscreened to Screened
  • Assignee changed from Release Council to Andrew Walker

I'm in the process of fixing this now.

#6 Updated by Hannes Stoll 2 months ago

Andrew Walker wrote:

"forwardable" is the correct parameter name.

Yes, it would be if written in this manner. In section lib_defaults, the r is missing.

#7 Updated by Hannes Stoll 2 months ago

And I still belive app_defaults and lib_defaults being incorrect, having abundant underscores

#8 Updated by Bug Clerk 2 months ago

  • Status changed from Screened to In Progress

#9 Updated by Andrew Walker 2 months ago

#10 Updated by Andrew Walker 2 months ago

  • File krb5.conf added

Hans, can you try replacing /usr/local/lib/python3.6/site-packages/middlewared/etc_files/krb5.conf with the attached file and see if it fixes your problem?

#11 Updated by Hannes Stoll 2 months ago

krb5.conf seems reasonable now, cannot talk for your changes to the AD part as I only use kerberos + LDAP (freeipa) without AD.

Thank you very much.

#12 Updated by Hannes Stoll 2 months ago

  • File deleted (debug-freenas-20181208144529.tgz)

#13 Updated by Bug Clerk 2 months ago

  • Status changed from In Progress to Ready for Testing

#14 Updated by Bug Clerk 2 months ago

  • Target version changed from Backlog to 11.3

#15 Updated by Bug Clerk 2 months ago

  • Copied to Bug #63108: Improve krb5.conf generation and fix some bugs for edge cases added

#16 Updated by Andrew Walker 2 months ago

  • Subject changed from Rubbish in /etc/krb5.conf to Incorrect /etc/krb5.conf in kerberized LDAP environment

#17 Updated by Dru Lavigne 2 months ago

  • File deleted (krb5.conf)

#18 Updated by Dru Lavigne 2 months ago

  • Subject changed from Incorrect /etc/krb5.conf in kerberized LDAP environment to Improve krb5.conf generation and fix some bugs for edge cases
  • Private changed from Yes to No
  • Reason for Blocked deleted (Need additional information from Author)
  • Needs Doc changed from Yes to No
  • Needs Merging changed from Yes to No

#19 Updated by Dru Lavigne 29 days ago

  • Target version changed from 11.3 to 11.3-BETA1

#20 Updated by Dru Lavigne 8 days ago

  • Status changed from Ready for Testing to Done
  • Target version changed from 11.3-BETA1 to Master - FreeNAS Nightlies
  • Needs QA changed from Yes to No

Also available in: Atom PDF