Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be available on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 592884 - Cannot configure kerberos multi realm kadmin/kpropd.
Summary: Cannot configure kerberos multi realm kadmin/kpropd.
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: krb5
Version: 5.5
Hardware: All
OS: Linux
low
medium
Target Milestone: rc
: ---
Assignee: Nalin Dahyabhai
QA Contact: BaseOS QE Security Team
URL: http://krbdev.mit.edu/rt/Ticket/Displ...
Whiteboard:
Depends On:
Blocks: 1146999 1147000
TreeView+ depends on / blocked
 
Reported: 2010-05-17 10:08 UTC by fous
Modified: 2015-03-04 20:08 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 636841 1146999 1147000 (view as bug list)
Environment:
Last Closed: 2010-12-14 21:46:19 UTC
Target Upstream Version:


Attachments (Terms of Use)
/etc/init.d/kadmin patch including multirealm support (756 bytes, patch)
2010-05-17 10:08 UTC, fous
no flags Details | Diff
/etc/init.d/kprop patch including multirealm support (904 bytes, patch)
2010-05-17 10:09 UTC, fous
no flags Details | Diff

Description fous 2010-05-17 10:08:21 UTC
Created attachment 414505 [details]
/etc/init.d/kadmin patch including multirealm support

Description of problem:
Cannot configure kerberos multi realm kadmin/kpropd via standard sysconfig way.
There is no option for using multiple realms on kerberos.

Version-Release number of selected component (if applicable):
krb5-server-1.6.1-36.el5_4.1

Actual results:
Cannot configure

Expected results:
Configuration available

Additional info:

ad1)
If one wishes to use multiple realms on the same host, configration of krb5kdc is no problem. I have to put this

KRB5KDC_ARGS="-r REALM1 -r REALM2"

into the /etc/sysconfig/krb5kdc file, no problem here

ad2)
When someone wants to run kadmin above these two domains, it is necessary to run kadmin standalone on different port for each realm. fe.

/usr/kerberos/sbin/kadmind -r REALM1 -port 749
/usr/kerberos/sbin/kadmind -r REALM2 -port 748

there is no configuration option to do this.

ad3)
When someone wants to propagate multiple realms kerberos database to other kdc hosts, one should run something like this on the slave host

/usr/kerberos/sbin/kpropd -S -r REALM1 -P 754
/usr/kerberos/sbin/kpropd -S -r REALM2 -P 753

there is no configuration option to do this.

Suggested solution:
Add configuration file for kpropd (which does not exists at this time) and put some MULTIPLEREALM variable into this file and kadmin configuration file, edit init scripts for kpropd and kadmind

Example configuration files
/etc/sysconfig/kprop
KPROP_ARGS=
MULTIREALMS="REALM1:754 REALM2:753"

/etc/sysconfig/kadmin
MULTIREALMS="REALM1:749 REALM2:748"

Diffs according to this feature (/etc/init.d/{kprop,kadmin}) are included in the attachment.

Comment 1 fous 2010-05-17 10:09:44 UTC
Created attachment 414506 [details]
/etc/init.d/kprop patch including multirealm support

Comment 2 Dmitri Pal 2010-05-27 18:01:43 UTC
Please look at the SSSD project. 
https://fedorahosted.org/sssd

There is a consideration to add it to RHEL5.x.
Can you please take a look and check if it would solve the problem?

Comment 3 fous 2010-05-31 14:46:53 UTC
hi,

it seems, that this is not really related with this problem.

SSSD:
It's primary function is to provide access to identity and authentication remote resource through a common framework that can provide caching and offline support to the system.

but my problem is, that one cannot configure kerberos (kdc) so that it can run multiple realms on the same machine. kdc is only underlaying service of SSSD (i think).

it neither solves the kdc cluster propagation.

fous

Comment 4 Dmitri Pal 2010-06-04 16:10:49 UTC
(In reply to comment #3)
> hi,
> 
> it seems, that this is not really related with this problem.
> 
> SSSD:
> It's primary function is to provide access to identity and authentication
> remote resource through a common framework that can provide caching and offline
> support to the system.
> 
> but my problem is, that one cannot configure kerberos (kdc) so that it can run
> multiple realms on the same machine. kdc is only underlaying service of SSSD (i
> think).
> 
> it neither solves the kdc cluster propagation.
> 
> fous    

Ah Ok. Sorry for confusion.

Comment 6 Nalin Dahyabhai 2010-07-01 14:15:29 UTC
I'd much prefer to have kadmind and kpropd just support multiple realms from a single process, the way krb5kdc does.  Have forwarded this to upstream RT to see what they think.

Comment 7 Dmitri Pal 2010-09-28 12:21:14 UTC
We have contacted MIT community and got a feedback that they are generally open to making multiple realms work better for kadmind and kpropd. However it is not a priority so patches are welcome. If there is work that has been done in this area they might have cycles to review the patches before 1.9 release.

Comment 8 Dmitri Pal 2010-12-14 21:46:19 UTC
This issue is not going to be addressed in 5.x.
We will pick it up from upstream (MIT) when it becomes available.

Comment 9 Roland Mainz 2015-03-04 20:08:08 UTC
The patches (https://bugzilla.redhat.com/attachment.cgi?id=414506 and https://bugzilla.redhat.com/attachment.cgi?id=414505) itself work for RHEL5/6 but I strongly agree with nalin (see https://bugzilla.redhat.com/show_bug.cgi?id=592884#c6) that we need a solution where kpropd and kadmind have builtin support for multiple realms (this is handled by upstream ticket http://krbdev.mit.edu/rt/Ticket/Display.html?id=6748).
The trouble starts with RHEL7 and systemd which doesn't provide any easy support for starting and managing a "random" number of deamon processes started by a script.


Note You need to log in before you can comment on or make changes to this bug.