Hide Forgot
Description of problem: After running ipa-client-install on a RHEL 6.1 client, /etc/krb5.conf contains otherwise sane values but in the appdefaults/pam section it has the following entries: ticket_lifetime renew_lifetime forwardable These seem to be duplicating those values already defined in the libdefaults section. These values are also not present in the default /etc/krb5.conf provided by the recent krb5-libs packages. It would seem best to add just debug/krb4_convert values to appdefaults/pam section. Version-Release number of selected component (if applicable): RHEL 6.1
The pam_krb5 module only overrides the [libdefaults] lifetime and forwardable settings if they're specified, so with rare exception, they shouldn't need to be set in the [appdefaults] "pam" section. Any krb4-specific bits (this includes the "krb4_convert*" group of settings for the PAM module and the "default_domain" setting in the [realms] section) aren't used once the v4 compat bits are dropped starting with krb5 1.8, so we can probably just drop the lot of them.
https://fedorahosted.org/freeipa/ticket/1358
master: f05141e6468ce972b9c0d9707a4d640fe40da2b7 ipa-2-0: 17c2238f2ccf923906e91ae58abb19e867f499fc
Verified using: ipa-client-2.1.2-2.el6.x86_64 install updates /etc/krb5.conf to have its appdefaults section as below: [appdefaults] pam = { debug = false krb4_convert = false } NeedInfo: From comment #2, what are the other settings that are or are not expected to be in krb5.conf? verifying using versions: krb5-workstation-1.9-21.el6.x86_64 krb5-server-1.9-21.el6.x86_64 krb5-pkinit-openssl-1.9-21.el6.x86_64 krb5-libs-1.9-21.el6.x86_64 krb5-server-ldap-1.9-21.el6.x86_64 pam_krb5-2.3.11-8.el6.x86_64
current krb5.conf after an install: #File modified by ipa-client-install [libdefaults] default_realm = TESTRELM dns_lookup_realm = true dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = yes [realms] TESTRELM = { pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .testrelm = TESTRELM testrelm = TESTRELM [appdefaults] pam = { debug = false krb4_convert = false }
You can refrain from adding the entire "pam" portion of the [appdefaults] section, as the module's default behavior is to not override any library settings unless it is told to do so, krb4 ticket conversion's not available because there's no krb4 library, and debug logging isn't enabled by default. The rest looks alright.
marking assigned based on comment #9
Extraneous appdefaults section removed from krb5.conf in upstream: master: 592bf621615b002c7945a9700aab0d5fc33cfe26 ipa-2-1: a065cfba0bda09ba3424f6ca85e9ce998f6af975
Verified the appdefaults section is removed with ipa-client-2.1.3-2.el6.x86_64
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: Cause: The IPA-generated /etc/krb5.conf contained values not in the standard configuration file, notably: ticket_lifetime, renew_lifetime and forwardable in [libdefaults] and the entire [appdefaults] second. Consequence: This is mostly cosmetic as the values are not used but they might inhibit debugging. Fix: Remove the unncessary values and sections. Result: A much cleaner and concise configuration file.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2011-1533.html