Bug 714597 – ipa-client-install adds duplicate information to krb5.conf

Bug 714597 - ipa-client-install adds duplicate information to krb5.conf

Summary:	ipa-client-install adds duplicate information to krb5.conf

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	ipa (Show other bugs)
Sub Component:
Version:	6.1
Hardware:	Unspecified Unspecified

Priority	low Severity low
Target Milestone:	rc
Target Release:	---
Assigned To:	Rob Crittenden
QA Contact:	Chandrasekar Kannan
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:	748554
	Show dependency tree / graph

Reported:	2011-06-20 04:27 EDT by Marko Myllynen
Modified:	2015-01-04 18:49 EST (History)
CC List:	6 users (show)

See Also:
Fixed In Version:	ipa-2.1.3-1.el6
Doc Type:	Bug Fix
Doc Text:	Cause: The IPA-generated /etc/krb5.conf contained values not in the standard configuration file, notably: ticket_lifetime, renew_lifetime and forwardable in [libdefaults] and the entire [appdefaults] second. Consequence: This is mostly cosmetic as the values are not used but they might inhibit debugging. Fix: Remove the unncessary values and sections. Result: A much cleaner and concise configuration file.
Story Points:	---
Clone Of:
Environment:
Last Closed:	2011-12-06 13:36:04 EST
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Marko Myllynen 2011-06-20 04:27:33 EDT

Description of problem:
After running ipa-client-install on a RHEL 6.1 client, /etc/krb5.conf contains otherwise sane values but in the appdefaults/pam section it has the following entries:

ticket_lifetime
renew_lifetime
forwardable

These seem to be duplicating those values already defined in the libdefaults section. These values are also not present in the default /etc/krb5.conf provided by the recent krb5-libs packages.

It would seem best to add just debug/krb4_convert values to appdefaults/pam section.

Version-Release number of selected component (if applicable):
RHEL 6.1

Comment 2 Nalin Dahyabhai 2011-06-20 10:22:09 EDT

The pam_krb5 module only overrides the [libdefaults] lifetime and forwardable settings if they're specified, so with rare exception, they shouldn't need to be set in the [appdefaults] "pam" section.

Any krb4-specific bits (this includes the "krb4_convert*" group of settings for the PAM module and the "default_domain" setting in the [realms] section) aren't used once the v4 compat bits are dropped starting with krb5 1.8, so we can probably just drop the lot of them.

Comment 3 Rob Crittenden 2011-06-20 12:11:10 EDT

https://fedorahosted.org/freeipa/ticket/1358

Comment 4 Rob Crittenden 2011-06-29 09:40:29 EDT

master: f05141e6468ce972b9c0d9707a4d640fe40da2b7

ipa-2-0: 17c2238f2ccf923906e91ae58abb19e867f499fc

Comment 7 Namita Soman 2011-10-10 15:00:14 EDT

Verified using:
ipa-client-2.1.2-2.el6.x86_64

install updates /etc/krb5.conf to have its appdefaults section as below:
[appdefaults]
  pam = {
    debug = false
    krb4_convert = false
  }


NeedInfo:
From comment #2, what are the other settings that are or are not expected to be in krb5.conf?

verifying using versions:
krb5-workstation-1.9-21.el6.x86_64
krb5-server-1.9-21.el6.x86_64
krb5-pkinit-openssl-1.9-21.el6.x86_64
krb5-libs-1.9-21.el6.x86_64
krb5-server-ldap-1.9-21.el6.x86_64
pam_krb5-2.3.11-8.el6.x86_64

Comment 8 Namita Soman 2011-10-10 15:08:01 EDT

current krb5.conf after an install:
#File modified by ipa-client-install

[libdefaults]
  default_realm = TESTRELM
  dns_lookup_realm = true
  dns_lookup_kdc = true
  rdns = false
  ticket_lifetime = 24h
  forwardable = yes

[realms]
  TESTRELM = {
    pkinit_anchors = FILE:/etc/ipa/ca.crt
  }

[domain_realm]
  .testrelm = TESTRELM
  testrelm = TESTRELM

[appdefaults]
  pam = {
    debug = false
    krb4_convert = false
  }

Comment 9 Nalin Dahyabhai 2011-10-10 15:13:00 EDT

You can refrain from adding the entire "pam" portion of the [appdefaults] section, as the module's default behavior is to not override any library settings unless it is told to do so, krb4 ticket conversion's not available because there's no krb4 library, and debug logging isn't enabled by default.  The rest looks alright.

Comment 10 Namita Soman 2011-10-10 15:54:54 EDT

marking assigned based on comment #9

Comment 14 Rob Crittenden 2011-10-12 15:19:07 EDT

Extraneous appdefaults section removed from krb5.conf in upstream:

master: 592bf621615b002c7945a9700aab0d5fc33cfe26

ipa-2-1: a065cfba0bda09ba3424f6ca85e9ce998f6af975

Comment 15 Namita Soman 2011-10-19 13:34:42 EDT

Verified the appdefaults section is removed with ipa-client-2.1.3-2.el6.x86_64

Comment 16 Rob Crittenden 2011-10-31 16:16:49 EDT

    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause: The IPA-generated /etc/krb5.conf contained values not in the standard configuration file, notably: ticket_lifetime, renew_lifetime and forwardable in [libdefaults] and the entire [appdefaults] second.
Consequence: This is mostly cosmetic as the values are not used but they might inhibit debugging.
Fix: Remove the unncessary values and sections.
Result: A much cleaner and concise configuration file.

Comment 17 errata-xmlrpc 2011-12-06 13:36:04 EST

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2011-1533.html

Note You need to log in before you can comment on or make changes to this bug.