krb5 1.16 on FreeBSD, multi realms

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

krb5 1.16 on FreeBSD, multi realms

Cory Albrecht
Hello all,

I'm trying to replicate my Ubuntu kerberos servers in FreeBSD 11.2 as I
move things from AWS to Digital Ocean. I'm using 1.16 in both places, but
on FreeBSD the programmes do not seem to honour the database_name field in
kdc.conf. Not in the [realms] section, nor in the [dbmodules] section.

Using kdb5_util will create the database files in the proper spot if you
use the -d option, but when one tries to use kadmin.local, or start the
kadmind server, they complain about the database not being found in the
default location (/usr.local.var/krb5kdc).

I need this feature because I run multiple realms.

Has anybody gotten this work on FreeBSD? Thanks in advance.

My /usr/local/etc/krb5kdc/kdc.conf:
[kdcdefaults]
kdc_ports = 750,88
default_realm = CORY.ALBRECHT.NAME
allow_weak_crypto = true
ticket_lifetime = 7d 0h 0m 0s
renew_lifetime = 60d 0h 0m 0s

[realms]
HANFASTOLFE.COM = {
database_name = /usr/local/var/krb5kdc/hanfastolfe.com/principal
admin_keytab = FILE:/usr/local/etc/krb5kdc/hanfastolfe.com/kadm5.keytab
acl_file = /usr/local/etc/krb5kdc/hanfastolfe.com/kadm5.acl
key_stash_file = /usr/local/etc/krb5kdc/hanfastolfe.com/stash
admin_server = authns1.do.hanfastolfe.com
master_kdc = authns1.do.hanfastolfe.com
kdc = authns1.do.hanfastolfe.com
default_domain = hanfastolfe.com
kdc_ports = 750,88
max_life = 60d 0h 0m 0s
max_renewable_life = 60d 0h 0m 0s
master_key_type = des3-hmac-sha1
#supported_enctypes = aes256-cts:normal aes128-cts:normal
default_principal_flags = +preauth
}
CORY.ALBRECHT.NAME = {
database_name = /usr/local/var/krb5kdc/cory.albrecht.name/principal
admin_keytab = FILE:/usr/local/etc/krb5kdc/cory.albrecht.name/kadm5.keytab
acl_file = /usr/local/etc/krb5kdc/cory.albrecht.name/kadm5.acl
key_stash_file = /usr/local/etc/krb5kdc/cory.albrecht.name/stash
admin_server = authns1.do.hanfastolfe.com
master_kdc = authns1.do.hanfastolfe.com
kdc = authns1.do.hanfastolfe.com
kdc_ports = 750,88
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
master_key_type = des3-hmac-sha1
#supported_enctypes = aes256-cts:normal aes128-cts:normal
default_principal_flags = +preauth
}

[logging]
default = FILE:/var/log/krb5/krb5.log
kdc = FILE:/var/log/krb5/kdc.log
admin_server = FILE:/var/log/krb5/kadmin.log

[dbmodules]
HANFASTOLFE.COM = {
database_name = /usr/local/var/krb5kdc/hanfastolfe.com/principal
db_library = db2
}
CORY.ALBRECHT.NAME = {
database_name = /usr/local/var/krb5kdc/cory.albrecht.name/principal
db_library = db2
}
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: krb5 1.16 on FreeBSD, multi realms

Greg Hudson
On 08/18/2018 06:58 PM, Cory Albrecht wrote:
> I'm trying to replicate my Ubuntu kerberos servers in FreeBSD 11.2 as I
> move things from AWS to Digital Ocean. I'm using 1.16 in both places, but
> on FreeBSD the programmes do not seem to honour the database_name field in
> kdc.conf. Not in the [realms] section, nor in the [dbmodules] section.

Have you verified that kdc.conf is being read?  The default location is
/usr/local/var/krb5kdc/kdc.conf, not /usr/local/etc/krb5kdc/kdc.conf.
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: krb5 1.16 on FreeBSD, multi realms

Cory Albrecht
Oh for crying out loud! Why is the config file located in the local state
dir for instead of in the local sysconfig dir?!?

😡

On Sat, Aug 18, 2018 at 9:11 PM Greg Hudson <[hidden email]> wrote:

> On 08/18/2018 06:58 PM, Cory Albrecht wrote:
> > I'm trying to replicate my Ubuntu kerberos servers in FreeBSD 11.2 as I
> > move things from AWS to Digital Ocean. I'm using 1.16 in both places, but
> > on FreeBSD the programmes do not seem to honour the database_name field
> in
> > kdc.conf. Not in the [realms] section, nor in the [dbmodules] section.
>
> Have you verified that kdc.conf is being read?  The default location is
> /usr/local/var/krb5kdc/kdc.conf, not /usr/local/etc/krb5kdc/kdc.conf.
>
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: krb5 1.16 on FreeBSD, multi realms

Greg Hudson
On 08/20/2018 08:09 PM, Cory Albrecht wrote:
> Oh for crying out loud! Why is the config file located in the local state
> dir for instead of in the local sysconfig dir?!?

I believe that decision was made in 1995, well before my involvement in
the project.  I can't find any discussion of the choice in what was then
the development list.  Changing that decision now would not be easy.

You do have the option of putting everything in /etc/krb5.conf and not
having a kdc.conf; the two files are both read by KDC-ish programs and
merged together.
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos