Hi all,

Not sure if this is the right forum. And not 100% sure this is a bug or not, hence the post and not a bug report on launchpad. I am not too familiar with Kerberos to know so I will just state what I have found.


Setting a realm in the "/etc/krb5kdc/kdc.conf" like so:

Code:
[kdcdefaults]
    kdc_ports = 750,88

[realms]
    think.vpc = {
        database_name = /var/lib/krb5kdc/think.vpc
        admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
        acl_file = /etc/krb5kdc/kadm5.acl
        key_stash_file = /etc/krb5kdc/stash
        kdc_ports = 750,88
        max_life = 10h 0m 0s
        max_renewable_life = 7d 0h 0m 0s
        master_key_type = des3-hmac-sha1
        supported_enctypes = aes256-cts:normal arcfour-hmac:normal des3-hmac-sha1:normal des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3
        default_principal_flags = +preauth
    }
For what I can tell, this is basically what comes in the package looking at:
Code:
dpkg -L krb5-kdc | grep example
/usr/share/doc/krb5-kdc/examples
/usr/share/doc/krb5-kdc/examples/kdc.conf

Then setting this realm as the default in:

/etc/krb5.conf:

Code:
[libdefaults]
        default_realm = THINK.VPC

# The following krb5.conf variables are only for MIT Kerberos.
        krb4_config = /etc/krb.conf
        krb4_realms = /etc/krb.realms
I have trimmed that to just the pertinent bit.
This is bascially the same as what comes in the package.

Code:
dpkg -L krb5-config | grep template
/usr/share/kerberos-configs/krb5.conf.template
So now, with my database_name set to /var/lib/krb5kdc/think.vpc I try and launch krb5kdc with no arguments:

Code:
krb5kdc 
krb5kdc: cannot initialize realm THINK.VPC - see log file for details
If I tell it the database location...

Code:
krb5kdc  -d  /var/lib/krb5kdc/think.vpc
ps aux|grep kd[c]
root     18863  0.0  0.0  43124   568 ?        Ss   16:56   0:00 krb5kdc -d /var/lib/krb5kdc/think.vpc
Same issue with kadmin.local

Code:
kadmin.local -q 'listprincs'
Authenticating as principal root/admin@THINK.VPC with password.
kadmin.local: No such file or directory while initializing kadmin.local interface


kadmin.local -d /var/lib/krb5kdc/think.vpc -q 'listprincs'
Authenticating as principal root/admin@THINK.VPC with password.
K/M@THINK.VPC
kadmin/admin@THINK.VPC
kadmin/changepw@THINK.VPC
kadmin/mgt-master01-ap-southeast-2b.think.edu.au@THINK.VPC
krbtgt/THINK.VPC@THINK.VPC

Checking what files we read during start up though...

Code:
strace -e trace=file krb5kdc 2>&1 | grep '/etc/'
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
stat("/etc/krb5kdc/kdc.conf", {st_mode=S_IFREG|0644, st_size=605, ...}) = 0
open("/etc/krb5kdc/kdc.conf", O_RDONLY) = 3
stat("/etc/krb5.conf", {st_mode=S_IFREG|0644, st_size=1729, ...}) = 0
open("/etc/krb5.conf", O_RDONLY)        = 3
stat("/usr/etc/krb5.conf", 0x7fffd10cf580) = -1 ENOENT (No such file or directory)
access("/etc/krb5kdc/kdc.conf", R_OK)   = 0
access("/etc/krb5.conf", R_OK)          = 0
stat("/usr/etc/krb5.conf", 0x7fffd10cf490) = -1 ENOENT (No such file or directory)
access("/etc/krb5kdc/kdc.conf", R_OK)   = 0
access("/etc/krb5.conf", R_OK)          = 0
stat("/usr/etc/krb5.conf", 0x7fffd10cf410) = -1 ENOENT (No such file or directory)
access("/etc/krb5kdc/kdc.conf", R_OK)   = 0
access("/etc/krb5.conf", R_OK)          = 0
stat("/usr/etc/krb5.conf", 0x7fffd10cf350) = -1 ENOENT (No such file or directory)
open("/etc/krb5kdc/principal", O_RDONLY) = -1 ENOENT (No such file or directory)
I notice here that we are hitting:
"/etc/krb5kdc/principal"

So if I move my database to that location....


Code:
/etc/krb5kdc# for i in  /var/lib/krb5kdc/think* ; do cp $i $(basename $i|sed 's/think\.vpc/principal/g') ; done
/etc/krb5kdc# ls
dump  kadm5.acl  kdc.conf  principal  principal.kadm5  principal.kadm5.lock  principal.ok  stash
All starts and works fine

Code:
strace -e trace=file krb5kdc 2>&1 | grep '/etc/'
...
open("/etc/krb5kdc/principal", O_RDONLY) = 4
open("/etc/krb5kdc/principal.ok", O_RDWR) = 4
access("/etc/krb5kdc/kdc.conf", R_OK)   = 0
...
And kadmin.local works too without needing to be told where to look.

Code:
kadmin.local  -q 'listprincs'
Authenticating as principal root/admin@THINK.VPC with password.
K/M@THINK.VPC
kadmin/admin@THINK.VPC
kadmin/changepw@THINK.VPC
kadmin/mgt-master01-ap-southeast-2b.think.edu.au@THINK.VPC
krbtgt/THINK.VPC@THINK.VPC

Am I missing something? It feels like the binary is hardcoded where to go and ignores any configs about where to go for the database.

Happy to be proven wrong.

Thanks.