Bug 836628 - authconfig shouldn't set dns_lookup_xxx = false
authconfig shouldn't set dns_lookup_xxx = false
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: authconfig (Show other bugs)
rawhide
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Tomas Mraz
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-06-29 12:45 EDT by Stef Walter
Modified: 2012-08-15 12:12 EDT (History)
3 users (show)

See Also:
Fixed In Version: authconfig-6.2.3-1.fc18
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-08-15 08:12:58 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
Patch which fixes the problem (1.80 KB, patch)
2012-06-29 12:45 EDT, Stef Walter
no flags Details | Diff

  None (edit)
Description Stef Walter 2012-06-29 12:45:03 EDT
Created attachment 595339 [details]
Patch which fixes the problem

Description of problem:

There are appropriate upstream values for the krb5.conf dns_lookup_realm and dns_lookup_kdc. authconfig should not set these parameters unless explicitly requested to do so. In fact, I'm not sure why it would need to set them at all.

But in any case, upstream kerberos is supposed to work in a configuration-less manner out of the box. authconfig breaks this by setting dns_lookup_realm to false.

Version-Release number of selected component (if applicable):

authconfig-6.2.1-1.fc17

How reproducible:

Every time

Steps to Reproduce:
1. sudo authconfig --updateall --enablewinbind --enablewinbindauth
  
Actual results:

[libdefaults]
 default_realm = AD.THEWALTER.LAN
 dns_lookup_realm = false
 dns_lookup_kdc = false


Expected results:

No unnecessary modifications to krb5.conf, especially messing with defaults.
Comment 1 Tomas Mraz 2012-06-29 15:36:36 EDT
The problem is that these parameters are set so for consistency with SSSD. Especially the dns_lookup_realm is not yet (or at least was not) supported with SSSD.
Comment 2 Stef Walter 2012-06-30 01:02:33 EDT
dns_lookup_realm is set to false by default, so there's no need to be setting it here.

But it's the dns_lookup_kdc = false that really breaks kerberos. Manually configuring kerberos for each realm unrealistic for most users, and is brittle for large domains with multiple kdc's that can fail over and be reconfigured. Using DNS for locating KDC's is the best practice, as it has been for a decade.

IMO, krb5 should be completely configurationless for almost all use cases, and certainly by default.
Comment 3 Tomas Mraz 2012-08-15 08:12:58 EDT
As I did not use your patch but wrote it myself, please test whether it works for you.
Comment 4 Stef Walter 2012-08-15 12:12:24 EDT
Verified that this no longer happens with authconfig-6.2.3.

Note You need to log in before you can comment on or make changes to this bug.