Project

General

Profile

Bug #63108

Improve krb5.conf generation and fix some bugs for edge cases

Added by Bug Clerk almost 3 years ago. Updated over 2 years ago.

Status:
Done
Priority:
No priority
Assignee:
Andrew Walker
Category:
Services
Target version:
Seen in:
Severity:
New
Reason for Closing:
Reason for Blocked:
Needs QA:
No
Needs Doc:
No
Needs Merging:
No
Needs Automation:
No
Support Suite Ticket:
n/a
Hardware Configuration:
ChangeLog Required:
No

Description

When "enabling" ldap (it actually fails), some script mutilates the kerberos config:

#                                                                                                                                   
# krb5.conf(5) - configuration file for Kerberos 5                                                                                  
# $FreeBSD$                                                                                                                         
#                                                                                                                                   

[app_defaults]                                                                                                                      
            pam = {                                                                                                                 
                   forwardable = true                                                                                               
                   ticket_lifetime = 86400                                                                                          
                   renew_lifetime = 86400                                                                                           
            }                                                                                                                       

[lib_defaults]                                                                                                                      
            dns_lookup_realm = true                                                                                                 
            dns_lookup_kdc = true                                                                                                   
            ticket_lifetime = 24h                                                                                                   
            clockskew = 300                                                                                                         
            forwadable = yes                                                                                                        
            default_realm = {'id': 1, 'krb_realm': 'EXAMPLE.DE', 'krb_kdc': '', 'krb_admin_server': '', 'krb_kpasswd_server': ''}     

[domain_realm]                                                                                                                      
            example.de = EXAMPLE.DE                                                                                                     
            .example.de = EXAMPLE.DE                                                                                                    
            EXAMPLE.DE = EXAMPLE.DE                                                                                                     
            .EXAMPLE.DE = EXAMPLE.DE                                                                                                    

[realms]                                                                                                                            
            EXAMPLE.DE = {                                                                                                            
                   default_domain = EXAMPLE.DE                                                                                        
            }                                                                                                                       

[logging]                                                                                                                           
            default = SYSLOG:INFO:LOCAL7         

I am pretty sure, "forwadable" in lib_defaults is neither an English word nor a valid configuration option.
While we're at it: lib_defaults is not, either. That should be libdefaults, afaik. app_defaults is the same problem.

But what's really stopping everything from working is the default_realm: that should not be the whole python dict or whatever it is.
Similar typos also exist when updating the kerberos settings using the GUI.


Related issues

Has duplicate FreeNAS - Bug #62802: Error in krb5.conf after update to 11.2Closed
Copied from FreeNAS - Bug #62781: Improve krb5.conf generation and fix some bugs for edge casesDone

History

#1 Updated by Bug Clerk almost 3 years ago

  • Copied from Bug #62781: Improve krb5.conf generation and fix some bugs for edge cases added

#2 Updated by Bug Clerk almost 3 years ago

  • Target version changed from Master - FreeNAS Nightlies to 11.2-U2

#3 Updated by Bug Clerk almost 3 years ago

  • Status changed from Unscreened to In Progress

#4 Updated by Bug Clerk almost 3 years ago

  • Status changed from In Progress to Ready for Testing

#5 Updated by Dru Lavigne almost 3 years ago

  • Subject changed from Rubbish in /etc/krb5.conf to Improve krb5.conf generation and fix some bugs for edge cases
  • Needs Doc changed from Yes to No
  • Needs Merging changed from Yes to No

#6 Updated by Dru Lavigne almost 3 years ago

  • Has duplicate Bug #62802: Error in krb5.conf after update to 11.2 added

#9 Updated by Bonnie Follweiler over 2 years ago

  • Status changed from Ready for Testing to Passed Testing
  • Needs QA changed from Yes to No

#11 Updated by Dru Lavigne over 2 years ago

  • Status changed from Passed Testing to Done

#12 Updated by Sean Fagan over 2 years ago

Bonnie asked me to look at this; Kerberos is outside my current experience, but I did note a few things.

From looking at the documentation, setting "default_realm" in "[libdefaults]" should allow you to do "kinit" with no username or realm given, and it should then try to get a ticket for ${USERNAME}@{DEFAULT_REALM}. So that's one thing to test.

Also available in: Atom PDF