Bug 1577222
| Summary: | krb5-libs shipped in rhel 7.5 breaks heimdal-kdc | ||
|---|---|---|---|
| Product: | [Fedora] Fedora EPEL | Reporter: | Klarna IOCS <itops.dc> |
| Component: | heimdal | Assignee: | Ken Dreyer <ktdreyer> |
| Status: | CLOSED EOL | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | low | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | epel7 | CC: | dpal, ktdreyer, pkis, sergio |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2024-07-09 02:21:08 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Klarna IOCS
2018-05-11 13:47:52 UTC
I'm really sorry to hear that, but it's kind of too late to revert this in krb5. We added this as part of RHEL-7.3; prior to that, it was in Fedora since 2015. (We also do have a need for it - services using an include directory include crypto-policies, sssd, freeipa, and fedora_packager.) Moreover, sssd has been configuring an include directory for even longer - possibly since the beginning of the project, though it definitely predates me either way. Additionally, Heimdal is not a shipped or supported part of RHEL (which is in part why I keep bringing up Fedora). I hope it wouldn't break by picking up the (required) krb5 libraries on the system, but that's best effort since Heimdal upstream was dormant for so long. In the short term, I'm reassigning this bug to Heimdal in the hopes it can be resolved there. Heimdal folks, if there's any assistance I can provide, please let me know. For RHEL configurations, as expected I recommend using krb5 for KDC (optionally with freeipa) rather than Heimdal. If you would like assistance in migration, we can assist in that. If you would like to keep this configuration, in the short term you're going to have to remove this line. Additional information: Heimdal docs suggest that this should work, as per their example config file: https://github.com/heimdal/heimdal/blob/master/doc/setup.texi#L55-L74 No problem! I've quick-fixed the issue temporarily with # chattr +i /etc/krb5.conf since I didn't want to poke around in the configs too much. Another solution that's a bit less drastic is to just add the include line in the bottom of /etc/krb5.conf as it doesn't seem to break Heimdal, not suggesting that the krb5-libs should do that, just a pointer if somebody else runs into this. Also not sure what happens with other applications or if heimdal updates values as expected when the line is at the bottom of the file. cheers (In reply to Robbie Harwood from comment #3) > Additional information: Heimdal docs suggest that this should work, as per > their example config file: > https://github.com/heimdal/heimdal/blob/master/doc/setup.texi#L55-L74 It works, when the includedir statement is after whatever settings you have in /etc/krb5.conf :) I read bz 1431198 and some things are not clear to me. Users expect to do the /etc/krb5.conf.rpmnew -> /etc/krb5.conf transition like other RHEL packages. I agree with your quote in that bug Robbie "freeipa either needs to pay more attention to the system krb5.conf" . If FreeIPA needed the missing includedir, it could add it itself, rather than having krb5-libs do this. I get that the ship has sailed on this particular includedir change in RHEL 7.5, however, if the FreeIPA team wants krb5-libs to do more in-place krb5.conf changes on a file marked %config(noreplace), please point them at this bug. At any rate, I get that this is a sticky issue, and thank you Robbie for looking into the Heimdal docs there! I agree with Robbie that if you're running a Kerberos environment based on Heimdal, please do give FreeIPA a try. I packaged Heimdal for Fedora and EPEL because my previous employer ran Heimdal on a Solaris environment where we then moved to Linux. I still try to keep Heimdal building on EL7 and Fedora, because I think it's worth it to have the bits available for users who were in my same situation, but I hope it's clear that the FreeIPA experience will always be more integrated on Red Hat-based platforms. Klarna, what is the specific issue with "includedir" ordering you're seeing? > Klarna, what is the specific issue with "includedir" ordering you're seeing?
The issue seems to be that nothing below the includedir statement in krb5.conf is evaluated. For example, if I have my entire krb5 configuration in /etc/krb5.conf without any parts split out into the defined includedir I will end up with an, seemingly, unconfigured heimdal-kdc.
I didn't put much effort into troubleshooting this issue more than looking through the kdc logs and wondering why paths and such where off. (Re)moving the includedir line.
Preferably I would've decommissioned this service, but it seems like neither that or any kind of migration is going to happen. I mostly opened this issue to help if any other poor soul was stuck with heimdal and wondered why their kdc stopped working
Cheers
EPEL 7 entered end-of-life (EOL) status on 2024-06-30.\n\nEPEL 7 is no longer maintained, which means that it\nwill not receive any further security or bug fix updates.\n As a result we are closing this bug. |