Bug 714597 - ipa-client-install adds duplicate information to krb5.conf
Summary: ipa-client-install adds duplicate information to krb5.conf
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ipa
Version: 6.1
Hardware: Unspecified
OS: Unspecified
low
low
Target Milestone: rc
: ---
Assignee: Rob Crittenden
QA Contact: Chandrasekar Kannan
URL:
Whiteboard:
Depends On:
Blocks: 748554
TreeView+ depends on / blocked
 
Reported: 2011-06-20 08:27 UTC by Marko Myllynen
Modified: 2015-01-04 23:49 UTC (History)
6 users (show)

Fixed In Version: ipa-2.1.3-1.el6
Doc Type: Bug Fix
Doc Text:
Cause: The IPA-generated /etc/krb5.conf contained values not in the standard configuration file, notably: ticket_lifetime, renew_lifetime and forwardable in [libdefaults] and the entire [appdefaults] second. Consequence: This is mostly cosmetic as the values are not used but they might inhibit debugging. Fix: Remove the unncessary values and sections. Result: A much cleaner and concise configuration file.
Clone Of:
Environment:
Last Closed: 2011-12-06 18:36:04 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:1533 normal SHIPPED_LIVE Moderate: ipa security and bug fix update 2011-12-06 01:23:31 UTC

Description Marko Myllynen 2011-06-20 08:27:33 UTC
Description of problem:
After running ipa-client-install on a RHEL 6.1 client, /etc/krb5.conf contains otherwise sane values but in the appdefaults/pam section it has the following entries:

ticket_lifetime
renew_lifetime
forwardable

These seem to be duplicating those values already defined in the libdefaults section. These values are also not present in the default /etc/krb5.conf provided by the recent krb5-libs packages.

It would seem best to add just debug/krb4_convert values to appdefaults/pam section.

Version-Release number of selected component (if applicable):
RHEL 6.1

Comment 2 Nalin Dahyabhai 2011-06-20 14:22:09 UTC
The pam_krb5 module only overrides the [libdefaults] lifetime and forwardable settings if they're specified, so with rare exception, they shouldn't need to be set in the [appdefaults] "pam" section.

Any krb4-specific bits (this includes the "krb4_convert*" group of settings for the PAM module and the "default_domain" setting in the [realms] section) aren't used once the v4 compat bits are dropped starting with krb5 1.8, so we can probably just drop the lot of them.

Comment 3 Rob Crittenden 2011-06-20 16:11:10 UTC
https://fedorahosted.org/freeipa/ticket/1358

Comment 4 Rob Crittenden 2011-06-29 13:40:29 UTC
master: f05141e6468ce972b9c0d9707a4d640fe40da2b7

ipa-2-0: 17c2238f2ccf923906e91ae58abb19e867f499fc

Comment 7 Namita Soman 2011-10-10 19:00:14 UTC
Verified using:
ipa-client-2.1.2-2.el6.x86_64

install updates /etc/krb5.conf to have its appdefaults section as below:
[appdefaults]
  pam = {
    debug = false
    krb4_convert = false
  }


NeedInfo:
From comment #2, what are the other settings that are or are not expected to be in krb5.conf?

verifying using versions:
krb5-workstation-1.9-21.el6.x86_64
krb5-server-1.9-21.el6.x86_64
krb5-pkinit-openssl-1.9-21.el6.x86_64
krb5-libs-1.9-21.el6.x86_64
krb5-server-ldap-1.9-21.el6.x86_64
pam_krb5-2.3.11-8.el6.x86_64

Comment 8 Namita Soman 2011-10-10 19:08:01 UTC
current krb5.conf after an install:
#File modified by ipa-client-install

[libdefaults]
  default_realm = TESTRELM
  dns_lookup_realm = true
  dns_lookup_kdc = true
  rdns = false
  ticket_lifetime = 24h
  forwardable = yes

[realms]
  TESTRELM = {
    pkinit_anchors = FILE:/etc/ipa/ca.crt
  }

[domain_realm]
  .testrelm = TESTRELM
  testrelm = TESTRELM

[appdefaults]
  pam = {
    debug = false
    krb4_convert = false
  }

Comment 9 Nalin Dahyabhai 2011-10-10 19:13:00 UTC
You can refrain from adding the entire "pam" portion of the [appdefaults] section, as the module's default behavior is to not override any library settings unless it is told to do so, krb4 ticket conversion's not available because there's no krb4 library, and debug logging isn't enabled by default.  The rest looks alright.

Comment 10 Namita Soman 2011-10-10 19:54:54 UTC
marking assigned based on comment #9

Comment 14 Rob Crittenden 2011-10-12 19:19:07 UTC
Extraneous appdefaults section removed from krb5.conf in upstream:

master: 592bf621615b002c7945a9700aab0d5fc33cfe26

ipa-2-1: a065cfba0bda09ba3424f6ca85e9ce998f6af975

Comment 15 Namita Soman 2011-10-19 17:34:42 UTC
Verified the appdefaults section is removed with ipa-client-2.1.3-2.el6.x86_64

Comment 16 Rob Crittenden 2011-10-31 20:16:49 UTC
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause: The IPA-generated /etc/krb5.conf contained values not in the standard configuration file, notably: ticket_lifetime, renew_lifetime and forwardable in [libdefaults] and the entire [appdefaults] second.
Consequence: This is mostly cosmetic as the values are not used but they might inhibit debugging.
Fix: Remove the unncessary values and sections.
Result: A much cleaner and concise configuration file.

Comment 17 errata-xmlrpc 2011-12-06 18:36:04 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2011-1533.html


Note You need to log in before you can comment on or make changes to this bug.