[2252] in Kerberos-V5-bugs
Re: Bug fix: kdc.conf not being read
daemon@ATHENA.MIT.EDU (Jon Roma)
Sun Sep 22 13:09:39 1996
To: Sam Hartman <hartmans@MIT.EDU>
Cc: Christopher Seawood <cseawood@qualcomm.com>, krb5-bugs@MIT.EDU,
kerberos@MIT.EDU
Date: Sun, 22 Sep 1996 11:57:14 -0500
From: Jon Roma <roma@uiuc.edu>
> Second, I think you are confused about the location of
>kdc.conf. The kdc.conf file must live in either the
>$prefix/lib/krb5kdc or the file specified in the KRB5_KDC_PROFILE
>environment variable. For various reasons mostly dealing with bad
>design choices in certain database abstractions, you cannot allow
>krb5.conf to specify the location of kdc.conf, as kdc.conf may specify
>an alternate location for krb5.conf. If you find a documentation
>reference that indicates this is not the case, we will certainly fix
>either the code or the docs.
I too had the same problem as Christopher, since I was working with old
copies of the config files in /etc that I had edited to update for beta 7.
My editing was being misled by the documentation.
While I found the solution eventually by looking at the source and ChangeLog
files, the documentation obscured the nature of the problem to me for longer
than I'd like to admit.
(In my experimentation with principals that I found that had a maximum
ticket life of 0, I was able to get kadmin to set the maximum ticket life
to negative values and for kinit to generate tickets with these bad values.
I'll document further in a separate note if this is not a known situation.)
But back to the documentation of the kdc.conf file location; there are
several documentation references that are erroneous or potentially misleading.
The V5 Installation Guide packaged with beta 7 correctly states (in section
4.1.1.1 on page 15) both the default path of the kdc.conf file and notes that
a pointer to an alternate location may be placed in the krb5.conf file.
However, the example configuration files in the installation document
(appendix A.1 and A.2 at pp. 31-32) incorrectly shows a "profile" tag
in BOTH the krb5.conf and kdc.conf file.
The sample kdc.conf and krb5.conf files in the src/config-files are also
wrong. They're backwards, i. e., they include the obsolete "profile" tag in
the kdc.conf file to point to the krb5.conf file but NOT the "profile" tag
in the krb.conf file that's needed when the krb5.conf file resides in any
alternate location other than $prefix/lib/krb5kdc.
The man page for kdc.conf (src/config-files/kdc.conf.M) does state the
file's default path but does NOT state that this default path can be changed
in the krb5.conf file.
The krb5.conf man page (src/config-files/krb5.conf.m) does NOT document
the [kdc] section wherein one includes the "profile" tag to point at an
alternate location of the kdc.conf file.
While it is not strictly in error, the krb5kdc man page (src/kdc/krb5kdc.M)
states
Additionally, per-realm parameters may be specified in the
kdc.conf file. The location of this file may be specified by
the KRB5_KDC_PROFILE environment variable.
and could be changed to point to the default location of the kdc.conf file
(i. e, the value of $prefix/lib/krb5kdc) or at least make reference to the
fact that this location can be changed in the krb5.conf file.
One other semi-related documentation issue is that the "-n" (the "don't fork
and go into the background") flag on krb5kdc is NOT documented. This should
be documented since proper operation of the KDC under /etc/inittab would
REQUIRE this flag.
The man page for kadmind (src/kadmin/server/kadmind.M) DOES document the
equivalent "-nofork" option but states
In normal operation, you should always allow the server place
itself in the background.
Aside from the missing "to" before the word "place", the statement isn't
accurate vis-a-vis systems with /etc/inittab. I and no doubt many others
prefer to start daemons like the KDC and kadmind from /etc/inittab with the
"respawn" option so that they will restart on failure. In this context,
one very much NEEDS the process started by init to NOT fork itslf into the
background.
As an aside, shouldn't the default ticket lifetime for kinit be an option
settable in the [libdefaults] section of the krb5.conf rather than a
compiled-in default of 10 hours?
