|Summary:||RFE change default place for kerberos keytabs|
|Product:||[Retired] 389||Reporter:||Simo Sorce <ssorce>|
|Component:||Directory Server||Assignee:||Rich Megginson <rmeggins>|
|Status:||CLOSED CURRENTRELEASE||QA Contact:||Chandrasekar Kannan <ckannan>|
|Fixed In Version:||8.1||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2009-04-29 23:08:59 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Cloudforms Team:||---||Target Upstream Version:|
|Bug Depends On:|
|Bug Blocks:||249650, 493682|
Description Simo Sorce 2008-12-18 16:29:25 UTC
Currently in /etc/sysconfig/dirsrv we suggest to put the keytab in an instance like this: # In order to use SASL/GSSAPI the directory # server needs to know where to find its keytab # file - uncomment the following line and set # the path and filename appropriately # KRB5_KTNAME=/etc/dirsrv/slapd-instance/keytab ; export KRB5_KTNAME A per instance keytab does not make much sense for servers. Kerberos clients use the machine FQDN to obtain a ticket like ldap/FQDN, there is nothing that can amke a lcient understand how to get a per-instance ticket. Therefore by default a keytab should be considered a per server option. Also the file /etc/sysconfig/dirsrv is sourced for all instances, so again all instances would ultimately get the same keytab. Finally a keytab is normally named either krb5.keytab or <service>.keytab I suggest the default be changed to: # KRB5_KTNAME=/etc/dirsrv/ds.keytab ; export KRB5_KTNAME This is the same default we used in IPA since the beginning and fits the above description.
Comment 1 Rich Megginson 2009-02-16 22:54:53 UTC
Done. Checking in initconfig.in; /cvs/dirsec/ldapserver/ldap/admin/src/initconfig.in,v <-- initconfig.in new revision: 1.4; previous revision: 1.3 done
Comment 2 Jenny Severance 2009-04-01 18:48:46 UTC
How can we verify this? I have seen default GSSAPI error messages looking for keytab - /etc/krb5.keytab but not /etc/dirsrv/ds.keytab.
Comment 3 Rich Megginson 2009-04-01 19:13:37 UTC
It's just the commented out assignment - just check to see that the commented out assignment in /etc/sysconfig/dirsrv is correct by default, sasl/gssapi will look for /etc/krb5.keytab if KRB5_KTFILE is not defined.
Comment 4 Jenny Severance 2009-04-01 19:24:11 UTC
fix verified DS 8.1 RHEL 4 /etc/sysconfig/dirsrv: # In order to use SASL/GSSAPI (Kerberos) the directory # server needs to know where to find its keytab # file - uncomment the following line and set # the path and filename appropriately # KRB5_KTNAME=/etc/dirsrv/myname.keytab ; export KRB5_KTNAME
Comment 5 Chandrasekar Kannan 2009-04-29 23:08:59 UTC
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHEA-2009-0455.html