Move the default directory for OTP sockets to /var/run/krb5kdc

- pull in patch from master to move the default directory which the KDC
  uses when computing the socket path for a local OTP daemon from the
  database directory (/var/kerberos/krb5kdc) to the newly-added run
  directory (/run/krb5kdc), in line with what we're expecting in 1.13
  (RT#7859)
- add a tmpfiles.d configuration file to have /run/krb5kdc created at
  boot-time
- own /var/run/krb5kdc
This commit is contained in:
Nalin Dahyabhai 2014-02-07 16:13:29 -05:00
parent 99444865b1
commit bdb8c58c53
3 changed files with 231 additions and 1 deletions

1
krb5-krb5kdc.conf Normal file
View File

@ -0,0 +1 @@
d /var/run/krb5kdc 0755 root root

View File

@ -0,0 +1,202 @@
Adjusted to apply after the local doublelog patch.
commit 1e4bdcfed2c7bda94d5c135cc32a5993ca032501
Author: Nathaniel McCallum <npmccallum@redhat.com>
Date: Wed Feb 5 10:59:46 2014 -0500
Move OTP sockets to KDC_RUN_DIR
Some system configurations expect Unix-domain sockets to live under
/run or /var/run, and not other parts of /var where persistent
application state lives. Define a new directory KDC_RUN_DIR using
$runstatedir (new in autoconf 2.70, so fall back to $localstatedir/run
if it's not set) and use that for the default socket path.
[ghudson@mit.edu: commit message, otp.rst formatting fix]
ticket: 7859 (new)
diff --git a/doc/admin/otp.rst b/doc/admin/otp.rst
index 0abd5ff..f12c36d 100644
--- a/doc/admin/otp.rst
+++ b/doc/admin/otp.rst
@@ -23,7 +23,7 @@ the following format::
[otp]
<name> = {
- server = <host:port or filename> (default: $KDCDIR/<name>.socket)
+ server = <host:port or filename> (default: see below)
secret = <filename>
timeout = <integer> (default: 5 [seconds])
retries = <integer> (default: 3)
@@ -33,7 +33,8 @@ the following format::
If the server field begins with '/', it will be interpreted as a UNIX
socket. Otherwise, it is assumed to be in the format host:port. When
a UNIX domain socket is specified, the secret field is optional and an
-empty secret is used by default.
+empty secret is used by default. If the server field is not
+specified, it defaults to |kdcrundir|\ ``/<name>.socket``.
When forwarding the request over RADIUS, by default the principal is
used in the User-Name attribute of the RADIUS packet. The strip_realm
diff --git a/doc/conf.py b/doc/conf.py
index f015fc8..bc8b2bd 100644
--- a/doc/conf.py
+++ b/doc/conf.py
@@ -231,6 +231,7 @@ if 'mansubs' in tags:
sbindir = '``@SBINDIR@``'
libdir = '``@LIBDIR@``'
localstatedir = '``@LOCALSTATEDIR@``'
+ runstatedir = '``@RUNSTATEDIR@``'
sysconfdir = '``@SYSCONFDIR@``'
ccache = '``@CCNAME@``'
keytab = '``@KTNAME@``'
@@ -243,6 +244,7 @@ else:
sbindir = ':ref:`SBINDIR <paths>`'
libdir = ':ref:`LIBDIR <paths>`'
localstatedir = ':ref:`LOCALSTATEDIR <paths>`'
+ runstatedir = ':ref:`RUNSTATEDIR <paths>`'
sysconfdir = ':ref:`SYSCONFDIR <paths>`'
ccache = ':ref:`DEFCCNAME <paths>`'
keytab = ':ref:`DEFKTNAME <paths>`'
@@ -262,6 +264,7 @@ else:
rst_epilog += '.. |sbindir| replace:: %s\n' % sbindir
rst_epilog += '.. |libdir| replace:: %s\n' % libdir
rst_epilog += '.. |kdcdir| replace:: %s\\ ``/krb5kdc``\n' % localstatedir
+ rst_epilog += '.. |kdcrundir| replace:: %s\\ ``/krb5kdc``\n' % runstatedir
rst_epilog += '.. |sysconfdir| replace:: %s\n' % sysconfdir
rst_epilog += '.. |ccache| replace:: %s\n' % ccache
rst_epilog += '.. |keytab| replace:: %s\n' % keytab
diff --git a/doc/mitK5defaults.rst b/doc/mitK5defaults.rst
index 89b8f4c..838dabb 100644
--- a/doc/mitK5defaults.rst
+++ b/doc/mitK5defaults.rst
@@ -17,6 +17,7 @@ KDC config file :ref:`kdc.conf(5)` |kdcdir|\ ``/kdc.conf`` **KRB
KDC database path (DB2) |kdcdir|\ ``/principal``
Master key :ref:`stash_definition` |kdcdir|\ ``/.k5.``\ *realm*
Admin server ACL file :ref:`kadm5.acl(5)` |kdcdir|\ ``/kadm5.acl``
+OTP socket directory |kdcrundir|
Plugin base directory |libdir|\ ``/krb5/plugins``
:ref:`rcache_definition` directory ``/var/tmp`` **KRB5RCACHEDIR**
Master key default enctype |defmkey|
@@ -64,6 +65,7 @@ Description Symbolic name Custom build path Typical
User programs BINDIR ``/usr/local/bin`` ``/usr/bin``
Libraries and plugins LIBDIR ``/usr/local/lib`` ``/usr/lib``
Parent of KDC state dir LOCALSTATEDIR ``/usr/local/var`` ``/var``
+Parent of KDC runtime dir RUNSTATEDIR ``/usr/local/var/run`` ``/run``
Administrative programs SBINDIR ``/usr/local/sbin`` ``/usr/sbin``
Alternate krb5.conf dir SYSCONFDIR ``/usr/local/etc`` ``/etc``
Default ccache name DEFCCNAME ``FILE:/tmp/krb5cc_%{uid}`` ``FILE:/tmp/krb5cc_%{uid}``
diff --git a/src/Makefile.in b/src/Makefile.in
index a8bc990..1725093 100644
--- a/src/Makefile.in
+++ b/src/Makefile.in
@@ -64,6 +64,7 @@ INSTALLMKDIRS = $(KRB5ROOT) $(KRB5MANROOT) $(KRB5OTHERMKDIRS) \
$(KRB5_AD_MODULE_DIR) \
$(KRB5_LIBKRB5_MODULE_DIR) \
@localstatedir@ @localstatedir@/krb5kdc \
+ @runstatedir@ @runstatedir@/krb5kdc \
$(KRB5_INCSUBDIRS) $(datadir) $(EXAMPLEDIR) \
$(PKGCONFIG_DIR)
diff --git a/src/configure.in b/src/configure.in
index 2145d54..c2eaf78 100644
--- a/src/configure.in
+++ b/src/configure.in
@@ -1,5 +1,11 @@
K5_AC_INIT([aclocal.m4])
+# If $runstatedir isn't set by autoconf (<2.70), set it manually.
+if test x"$runstatedir" == x; then
+ runstatedir=$localstatedir/run
+fi
+AC_SUBST(runstatedir)
+
CONFIG_RULES
KRB5_VERSION=K5_VERSION
AC_SUBST(KRB5_VERSION)
diff --git a/src/doc/Makefile.in b/src/doc/Makefile.in
index a6bb7c5..b07e16a 100644
--- a/src/doc/Makefile.in
+++ b/src/doc/Makefile.in
@@ -7,6 +7,7 @@ DOXYGEN=doxygen
docsrc=$(top_srcdir)/../doc
localstatedir=@localstatedir@
+runstatedir=@runstatedir@
sysconfdir=@sysconfdir@
DEFCCNAME=@DEFCCNAME@
DEFKTNAME=@DEFKTNAME@
@@ -113,6 +114,7 @@ paths.py:
echo 'sbindir = "``$(SERVER_BINDIR)``"' >> $@
echo 'libdir = "``$(KRB5_LIBDIR)``"' >> $@
echo 'localstatedir = "``$(localstatedir)``"' >> $@
+ echo 'runstatedir = "``$(runstatedir)``"' >> $@
echo 'sysconfdir = "``$(sysconfdir)``"' >> $@
echo 'ccache = "``$(DEFCCNAME)``"' >> $@
echo 'keytab = "``$(DEFKTNAME)``"' >> $@
diff --git a/src/include/Makefile.in b/src/include/Makefile.in
index e13042a..f83ff4e 100644
--- a/src/include/Makefile.in
+++ b/src/include/Makefile.in
@@ -53,6 +53,7 @@ autoconf.stamp: $(srcdir)/autoconf.h.in $(BUILDTOP)/config.status
SYSCONFDIR = @sysconfdir@
LOCALSTATEDIR = @localstatedir@
+RUNSTATEDIR = @runstatedir@
BINDIR = @bindir@
SBINDIR = @sbindir@
LIBDIR = @libdir@
@@ -66,6 +67,7 @@ PROCESS_REPLACE = -e "s+@KRB5RCTMPDIR+$(KRB5RCTMPDIR)+" \
-e "s+@MODULEDIR+$(MODULE_DIR)+" \
-e "s+@GSSMODULEDIR+$(GSS_MODULE_DIR)+" \
-e 's+@LOCALSTATEDIR+$(LOCALSTATEDIR)+' \
+ -e 's+@RUNSTATEDIR+$(RUNSTATEDIR)+' \
-e 's+@SYSCONFDIR+$(SYSCONFDIR)+' \
-e 's+:/etc/krb5.conf:/etc/krb5.conf"+:/etc/krb5.conf"+' \
-e 's+"/etc/krb5.conf:/etc/krb5.conf"+"/etc/krb5.conf"+' \
diff --git a/src/include/osconf.hin b/src/include/osconf.hin
index 90ab86d..871503a 100644
--- a/src/include/osconf.hin
+++ b/src/include/osconf.hin
@@ -59,6 +59,7 @@
#define PLUGIN_EXT "@DYNOBJEXT"
#define KDC_DIR "@LOCALSTATEDIR/krb5kdc"
+#define KDC_RUN_DIR "@RUNSTATEDIR/krb5kdc"
#define DEFAULT_KDB_FILE KDC_DIR "/principal"
#define DEFAULT_KEYFILE_STUB KDC_DIR "/.k5."
#define KRB5_DEFAULT_ADMIN_ACL KDC_DIR "/krb5_adm.acl"
diff --git a/src/man/Makefile.in b/src/man/Makefile.in
index 4dd2448..2b9c892 100644
--- a/src/man/Makefile.in
+++ b/src/man/Makefile.in
@@ -5,6 +5,7 @@ SPHINX_BUILD=sphinx-build
GROFF=@GROFF@
GROFF_MAN=$(GROFF) -mtty-char -Tascii -mandoc -c
localstatedir=@localstatedir@
+runstatedir=@runstatedir@
sysconfdir=@sysconfdir@
DEFCCNAME=@DEFCCNAME@
DEFKTNAME=@DEFKTNAME@
@@ -44,6 +45,7 @@ $(docsrc)/version.py: $(top_srcdir)/patchlevel.h
-e 's|@SBINDIR@|$(SERVER_BINDIR)|g' \
-e 's|@LIBDIR@|$(KRB5_LIBDIR)|g' \
-e 's|@LOCALSTATEDIR@|$(localstatedir)|g' \
+ -e 's|@RUNSTATEDIR@|$(runstatedir)|g' \
-e 's|@SYSCONFDIR@|$(sysconfdir)|g' \
-e 's|@CCNAME@|$(DEFCCNAME)|g' \
-e 's|@KTNAME@|$(DEFKTNAME)|g' \
diff --git a/src/plugins/preauth/otp/otp_state.c b/src/plugins/preauth/otp/otp_state.c
index a4d7e3b..4643dff 100644
--- a/src/plugins/preauth/otp/otp_state.c
+++ b/src/plugins/preauth/otp/otp_state.c
@@ -40,7 +40,7 @@
#endif
#define DEFAULT_TYPE_NAME "DEFAULT"
-#define DEFAULT_SOCKET_FMT KDC_DIR "/%s.socket"
+#define DEFAULT_SOCKET_FMT KDC_RUN_DIR "/%s.socket"
#define DEFAULT_TIMEOUT 5
#define DEFAULT_RETRIES 3
#define MAX_SECRET_LEN 1024

View File

@ -41,7 +41,7 @@
Summary: The Kerberos network authentication system
Name: krb5
Version: 1.12.1
Release: 3%{?dist}
Release: 4%{?dist}
# Maybe we should explode from the now-available-to-everybody tarball instead?
# http://web.mit.edu/kerberos/dist/krb5/1.12/krb5-1.12.1-signed.tar
Source0: krb5-%{version}.tar.gz
@ -68,6 +68,7 @@ Source34: kadmind.logrotate
Source36: kpropd.init
Source37: kadmind.init
Source38: krb5kdc.init
Source39: krb5-krb5kdc.conf
BuildRequires: cmake
# Carry this locally until it's available in a packaged form.
@ -98,6 +99,7 @@ Patch138: krb5-master-rcache-acquirecred-leak.patch
Patch139: krb5-master-rcache-acquirecred-source.patch
Patch140: krb5-master-empty-credstore.patch
Patch141: krb5-master-rcache-acquirecred-test.patch
Patch142: krb5-master-move-otp-sockets.patch
Patch201: 0001-Don-t-try-to-stat-not-on-disk-ccache-residuals.patch
Patch202: 0002-Use-an-in-memory-cache-until-we-need-the-target-s.patch
Patch203: 0003-Learn-to-destroy-the-ccache-we-re-copying-from.patch
@ -344,6 +346,7 @@ ln -s NOTICE LICENSE
%patch139 -p1 -b .rcache-acquirecred-source
%patch140 -p1 -b .empty-credstore
%patch141 -p1 -b .rcache-acquirecred-test
%patch142 -p1 -b .move-otp-sockets
# Take the execute bit off of documentation.
chmod -x doc/krb5-protocol/*.txt doc/ccapi/*.html
@ -401,6 +404,9 @@ pushd src
%if 0%{?compile_default_ccache_name}
DEFCCNAME=%{compiled_default_ccache_name}; export DEFCCNAME
%endif
# Set this so that configure will have a value even if the current version of
# autoconf doesn't set one.
runstatedir=%{_localstatedir}/run; export runstatedir
# Work out the CFLAGS and CPPFLAGS which we intend to use.
INCLUDES=-I%{_includedir}/et
CFLAGS="`echo $RPM_OPT_FLAGS $DEFINES $INCLUDES -fPIC -fno-strict-aliasing -fstack-protector-all`"
@ -451,6 +457,13 @@ CPPFLAGS="`echo $DEFINES $INCLUDES`"
make
popd
# Sanity check the KDC_RUN_DIR.
configured_kdcrundir=`grep KDC_RUN_DIR src/include/osconf.h | awk '{print $NF}'`
configured_kdcrundir=`eval echo $configured_kdcrundir`
if test "$configured_kdcrundir" != %{_localstatedir}/run/krb5kdc ; then
exit 1
fi
# Build the docs.
make -C src/doc paths.py version.py
cp src/doc/paths.py doc/
@ -552,6 +565,9 @@ for wrapper in \
%{SOURCE8} ; do
install -pm 755 ${wrapper} $RPM_BUILD_ROOT%{_sbindir}/
done
mkdir -p $RPM_BUILD_ROOT/%{_tmpfilesdir}
install -pm 644 %{SOURCE39} $RPM_BUILD_ROOT/%{_tmpfilesdir}/
mkdir -p $RPM_BUILD_ROOT/%{_localstatedir}/run/krb5kdc
%else
mkdir -p $RPM_BUILD_ROOT/etc/rc.d/init.d
for init in \
@ -825,6 +841,8 @@ exit 0
%{_unitdir}/krb5kdc.service
%{_unitdir}/kadmin.service
%{_unitdir}/kprop.service
%{_tmpfilesdir}/krb5-krb5kdc.conf
%dir %{_localstatedir}/run/krb5kdc
%else
/etc/rc.d/init.d/krb5kdc
/etc/rc.d/init.d/kadmin
@ -998,6 +1016,15 @@ exit 0
%{_sbindir}/uuserver
%changelog
* Fri Feb 7 2014 Nalin Dahyabhai <nalin@redhat.com> - 1.12.1-4
- pull in patch from master to move the default directory which the KDC uses
when computing the socket path for a local OTP daemon from the database
directory (/var/kerberos/krb5kdc) to the newly-added run directory
(/run/krb5kdc), in line with what we're expecting in 1.13 (RT#7859)
- add a tmpfiles.d configuration file to have /run/krb5kdc created at
boot-time
- own /var/run/krb5kdc
* Fri Jan 31 2014 Nalin Dahyabhai <nalin@redhat.com> - 1.12.1-3
- refresh nss_wrapper and add socket_wrapper to the %%check environment