714597 – ipa-client-install adds duplicate information to krb5.conf

Bug 714597 - ipa-client-install adds duplicate information to krb5.conf

Summary: ipa-client-install adds duplicate information to krb5.conf

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	6.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	low
Severity:	low
Target Milestone:	rc
Target Release:	---
Assignee:	Rob Crittenden
QA Contact:	Chandrasekar Kannan
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	748554
TreeView+	depends on / blocked

Reported:	2011-06-20 08:27 UTC by Marko Myllynen
Modified:	2015-01-04 23:49 UTC (History)
CC List:	6 users (show)
Fixed In Version:	ipa-2.1.3-1.el6
Doc Type:	Bug Fix
Doc Text:	Cause: The IPA-generated /etc/krb5.conf contained values not in the standard configuration file, notably: ticket_lifetime, renew_lifetime and forwardable in [libdefaults] and the entire [appdefaults] second. Consequence: This is mostly cosmetic as the values are not used but they might inhibit debugging. Fix: Remove the unncessary values and sections. Result: A much cleaner and concise configuration file.
Clone Of:
Environment:
Last Closed:	2011-12-06 18:36:04 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2011:1533	0	normal	SHIPPED_LIVE	Moderate: ipa security and bug fix update	2011-12-06 01:23:31 UTC

Description Marko Myllynen 2011-06-20 08:27:33 UTC

Description of problem:
After running ipa-client-install on a RHEL 6.1 client, /etc/krb5.conf contains otherwise sane values but in the appdefaults/pam section it has the following entries:

ticket_lifetime
renew_lifetime
forwardable

These seem to be duplicating those values already defined in the libdefaults section. These values are also not present in the default /etc/krb5.conf provided by the recent krb5-libs packages.

It would seem best to add just debug/krb4_convert values to appdefaults/pam section.

Version-Release number of selected component (if applicable):
RHEL 6.1

Comment 2 Nalin Dahyabhai 2011-06-20 14:22:09 UTC

The pam_krb5 module only overrides the [libdefaults] lifetime and forwardable settings if they're specified, so with rare exception, they shouldn't need to be set in the [appdefaults] "pam" section.

Any krb4-specific bits (this includes the "krb4_convert*" group of settings for the PAM module and the "default_domain" setting in the [realms] section) aren't used once the v4 compat bits are dropped starting with krb5 1.8, so we can probably just drop the lot of them.

Comment 3 Rob Crittenden 2011-06-20 16:11:10 UTC

https://fedorahosted.org/freeipa/ticket/1358

Comment 4 Rob Crittenden 2011-06-29 13:40:29 UTC

master: f05141e6468ce972b9c0d9707a4d640fe40da2b7

ipa-2-0: 17c2238f2ccf923906e91ae58abb19e867f499fc

Comment 7 Namita Soman 2011-10-10 19:00:14 UTC

Verified using:
ipa-client-2.1.2-2.el6.x86_64

install updates /etc/krb5.conf to have its appdefaults section as below:
[appdefaults]
  pam = {
    debug = false
    krb4_convert = false
  }


NeedInfo:
From comment #2, what are the other settings that are or are not expected to be in krb5.conf?

verifying using versions:
krb5-workstation-1.9-21.el6.x86_64
krb5-server-1.9-21.el6.x86_64
krb5-pkinit-openssl-1.9-21.el6.x86_64
krb5-libs-1.9-21.el6.x86_64
krb5-server-ldap-1.9-21.el6.x86_64
pam_krb5-2.3.11-8.el6.x86_64

Comment 8 Namita Soman 2011-10-10 19:08:01 UTC

current krb5.conf after an install:
#File modified by ipa-client-install

[libdefaults]
  default_realm = TESTRELM
  dns_lookup_realm = true
  dns_lookup_kdc = true
  rdns = false
  ticket_lifetime = 24h
  forwardable = yes

[realms]
  TESTRELM = {
    pkinit_anchors = FILE:/etc/ipa/ca.crt
  }

[domain_realm]
  .testrelm = TESTRELM
  testrelm = TESTRELM

[appdefaults]
  pam = {
    debug = false
    krb4_convert = false
  }

Comment 9 Nalin Dahyabhai 2011-10-10 19:13:00 UTC

You can refrain from adding the entire "pam" portion of the [appdefaults] section, as the module's default behavior is to not override any library settings unless it is told to do so, krb4 ticket conversion's not available because there's no krb4 library, and debug logging isn't enabled by default.  The rest looks alright.

Comment 10 Namita Soman 2011-10-10 19:54:54 UTC

marking assigned based on comment #9

Comment 14 Rob Crittenden 2011-10-12 19:19:07 UTC

Extraneous appdefaults section removed from krb5.conf in upstream:

master: 592bf621615b002c7945a9700aab0d5fc33cfe26

ipa-2-1: a065cfba0bda09ba3424f6ca85e9ce998f6af975

Comment 15 Namita Soman 2011-10-19 17:34:42 UTC

Verified the appdefaults section is removed with ipa-client-2.1.3-2.el6.x86_64

Comment 16 Rob Crittenden 2011-10-31 20:16:49 UTC

    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause: The IPA-generated /etc/krb5.conf contained values not in the standard configuration file, notably: ticket_lifetime, renew_lifetime and forwardable in [libdefaults] and the entire [appdefaults] second.
Consequence: This is mostly cosmetic as the values are not used but they might inhibit debugging.
Fix: Remove the unncessary values and sections.
Result: A much cleaner and concise configuration file.

Comment 17 errata-xmlrpc 2011-12-06 18:36:04 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2011-1533.html

Note You need to log in before you can comment on or make changes to this bug.