Move the default directory for OTP sockets to /var/run/krb5kdc
- pull in patch from master to move the default directory which the KDC uses when computing the socket path for a local OTP daemon from the database directory (/var/kerberos/krb5kdc) to the newly-added run directory (/run/krb5kdc), in line with what we're expecting in 1.13 (RT#7859) - add a tmpfiles.d configuration file to have /run/krb5kdc created at boot-time - own /var/run/krb5kdc
This commit is contained in:
parent
99444865b1
commit
bdb8c58c53
1
krb5-krb5kdc.conf
Normal file
1
krb5-krb5kdc.conf
Normal file
@ -0,0 +1 @@
|
||||
d /var/run/krb5kdc 0755 root root
|
202
krb5-master-move-otp-sockets.patch
Normal file
202
krb5-master-move-otp-sockets.patch
Normal file
@ -0,0 +1,202 @@
|
||||
Adjusted to apply after the local doublelog patch.
|
||||
|
||||
commit 1e4bdcfed2c7bda94d5c135cc32a5993ca032501
|
||||
Author: Nathaniel McCallum <npmccallum@redhat.com>
|
||||
Date: Wed Feb 5 10:59:46 2014 -0500
|
||||
|
||||
Move OTP sockets to KDC_RUN_DIR
|
||||
|
||||
Some system configurations expect Unix-domain sockets to live under
|
||||
/run or /var/run, and not other parts of /var where persistent
|
||||
application state lives. Define a new directory KDC_RUN_DIR using
|
||||
$runstatedir (new in autoconf 2.70, so fall back to $localstatedir/run
|
||||
if it's not set) and use that for the default socket path.
|
||||
|
||||
[ghudson@mit.edu: commit message, otp.rst formatting fix]
|
||||
|
||||
ticket: 7859 (new)
|
||||
|
||||
diff --git a/doc/admin/otp.rst b/doc/admin/otp.rst
|
||||
index 0abd5ff..f12c36d 100644
|
||||
--- a/doc/admin/otp.rst
|
||||
+++ b/doc/admin/otp.rst
|
||||
@@ -23,7 +23,7 @@ the following format::
|
||||
|
||||
[otp]
|
||||
<name> = {
|
||||
- server = <host:port or filename> (default: $KDCDIR/<name>.socket)
|
||||
+ server = <host:port or filename> (default: see below)
|
||||
secret = <filename>
|
||||
timeout = <integer> (default: 5 [seconds])
|
||||
retries = <integer> (default: 3)
|
||||
@@ -33,7 +33,8 @@ the following format::
|
||||
If the server field begins with '/', it will be interpreted as a UNIX
|
||||
socket. Otherwise, it is assumed to be in the format host:port. When
|
||||
a UNIX domain socket is specified, the secret field is optional and an
|
||||
-empty secret is used by default.
|
||||
+empty secret is used by default. If the server field is not
|
||||
+specified, it defaults to |kdcrundir|\ ``/<name>.socket``.
|
||||
|
||||
When forwarding the request over RADIUS, by default the principal is
|
||||
used in the User-Name attribute of the RADIUS packet. The strip_realm
|
||||
diff --git a/doc/conf.py b/doc/conf.py
|
||||
index f015fc8..bc8b2bd 100644
|
||||
--- a/doc/conf.py
|
||||
+++ b/doc/conf.py
|
||||
@@ -231,6 +231,7 @@ if 'mansubs' in tags:
|
||||
sbindir = '``@SBINDIR@``'
|
||||
libdir = '``@LIBDIR@``'
|
||||
localstatedir = '``@LOCALSTATEDIR@``'
|
||||
+ runstatedir = '``@RUNSTATEDIR@``'
|
||||
sysconfdir = '``@SYSCONFDIR@``'
|
||||
ccache = '``@CCNAME@``'
|
||||
keytab = '``@KTNAME@``'
|
||||
@@ -243,6 +244,7 @@ else:
|
||||
sbindir = ':ref:`SBINDIR <paths>`'
|
||||
libdir = ':ref:`LIBDIR <paths>`'
|
||||
localstatedir = ':ref:`LOCALSTATEDIR <paths>`'
|
||||
+ runstatedir = ':ref:`RUNSTATEDIR <paths>`'
|
||||
sysconfdir = ':ref:`SYSCONFDIR <paths>`'
|
||||
ccache = ':ref:`DEFCCNAME <paths>`'
|
||||
keytab = ':ref:`DEFKTNAME <paths>`'
|
||||
@@ -262,6 +264,7 @@ else:
|
||||
rst_epilog += '.. |sbindir| replace:: %s\n' % sbindir
|
||||
rst_epilog += '.. |libdir| replace:: %s\n' % libdir
|
||||
rst_epilog += '.. |kdcdir| replace:: %s\\ ``/krb5kdc``\n' % localstatedir
|
||||
+ rst_epilog += '.. |kdcrundir| replace:: %s\\ ``/krb5kdc``\n' % runstatedir
|
||||
rst_epilog += '.. |sysconfdir| replace:: %s\n' % sysconfdir
|
||||
rst_epilog += '.. |ccache| replace:: %s\n' % ccache
|
||||
rst_epilog += '.. |keytab| replace:: %s\n' % keytab
|
||||
diff --git a/doc/mitK5defaults.rst b/doc/mitK5defaults.rst
|
||||
index 89b8f4c..838dabb 100644
|
||||
--- a/doc/mitK5defaults.rst
|
||||
+++ b/doc/mitK5defaults.rst
|
||||
@@ -17,6 +17,7 @@ KDC config file :ref:`kdc.conf(5)` |kdcdir|\ ``/kdc.conf`` **KRB
|
||||
KDC database path (DB2) |kdcdir|\ ``/principal``
|
||||
Master key :ref:`stash_definition` |kdcdir|\ ``/.k5.``\ *realm*
|
||||
Admin server ACL file :ref:`kadm5.acl(5)` |kdcdir|\ ``/kadm5.acl``
|
||||
+OTP socket directory |kdcrundir|
|
||||
Plugin base directory |libdir|\ ``/krb5/plugins``
|
||||
:ref:`rcache_definition` directory ``/var/tmp`` **KRB5RCACHEDIR**
|
||||
Master key default enctype |defmkey|
|
||||
@@ -64,6 +65,7 @@ Description Symbolic name Custom build path Typical
|
||||
User programs BINDIR ``/usr/local/bin`` ``/usr/bin``
|
||||
Libraries and plugins LIBDIR ``/usr/local/lib`` ``/usr/lib``
|
||||
Parent of KDC state dir LOCALSTATEDIR ``/usr/local/var`` ``/var``
|
||||
+Parent of KDC runtime dir RUNSTATEDIR ``/usr/local/var/run`` ``/run``
|
||||
Administrative programs SBINDIR ``/usr/local/sbin`` ``/usr/sbin``
|
||||
Alternate krb5.conf dir SYSCONFDIR ``/usr/local/etc`` ``/etc``
|
||||
Default ccache name DEFCCNAME ``FILE:/tmp/krb5cc_%{uid}`` ``FILE:/tmp/krb5cc_%{uid}``
|
||||
diff --git a/src/Makefile.in b/src/Makefile.in
|
||||
index a8bc990..1725093 100644
|
||||
--- a/src/Makefile.in
|
||||
+++ b/src/Makefile.in
|
||||
@@ -64,6 +64,7 @@ INSTALLMKDIRS = $(KRB5ROOT) $(KRB5MANROOT) $(KRB5OTHERMKDIRS) \
|
||||
$(KRB5_AD_MODULE_DIR) \
|
||||
$(KRB5_LIBKRB5_MODULE_DIR) \
|
||||
@localstatedir@ @localstatedir@/krb5kdc \
|
||||
+ @runstatedir@ @runstatedir@/krb5kdc \
|
||||
$(KRB5_INCSUBDIRS) $(datadir) $(EXAMPLEDIR) \
|
||||
$(PKGCONFIG_DIR)
|
||||
|
||||
diff --git a/src/configure.in b/src/configure.in
|
||||
index 2145d54..c2eaf78 100644
|
||||
--- a/src/configure.in
|
||||
+++ b/src/configure.in
|
||||
@@ -1,5 +1,11 @@
|
||||
K5_AC_INIT([aclocal.m4])
|
||||
|
||||
+# If $runstatedir isn't set by autoconf (<2.70), set it manually.
|
||||
+if test x"$runstatedir" == x; then
|
||||
+ runstatedir=$localstatedir/run
|
||||
+fi
|
||||
+AC_SUBST(runstatedir)
|
||||
+
|
||||
CONFIG_RULES
|
||||
KRB5_VERSION=K5_VERSION
|
||||
AC_SUBST(KRB5_VERSION)
|
||||
diff --git a/src/doc/Makefile.in b/src/doc/Makefile.in
|
||||
index a6bb7c5..b07e16a 100644
|
||||
--- a/src/doc/Makefile.in
|
||||
+++ b/src/doc/Makefile.in
|
||||
@@ -7,6 +7,7 @@ DOXYGEN=doxygen
|
||||
|
||||
docsrc=$(top_srcdir)/../doc
|
||||
localstatedir=@localstatedir@
|
||||
+runstatedir=@runstatedir@
|
||||
sysconfdir=@sysconfdir@
|
||||
DEFCCNAME=@DEFCCNAME@
|
||||
DEFKTNAME=@DEFKTNAME@
|
||||
@@ -113,6 +114,7 @@ paths.py:
|
||||
echo 'sbindir = "``$(SERVER_BINDIR)``"' >> $@
|
||||
echo 'libdir = "``$(KRB5_LIBDIR)``"' >> $@
|
||||
echo 'localstatedir = "``$(localstatedir)``"' >> $@
|
||||
+ echo 'runstatedir = "``$(runstatedir)``"' >> $@
|
||||
echo 'sysconfdir = "``$(sysconfdir)``"' >> $@
|
||||
echo 'ccache = "``$(DEFCCNAME)``"' >> $@
|
||||
echo 'keytab = "``$(DEFKTNAME)``"' >> $@
|
||||
diff --git a/src/include/Makefile.in b/src/include/Makefile.in
|
||||
index e13042a..f83ff4e 100644
|
||||
--- a/src/include/Makefile.in
|
||||
+++ b/src/include/Makefile.in
|
||||
@@ -53,6 +53,7 @@ autoconf.stamp: $(srcdir)/autoconf.h.in $(BUILDTOP)/config.status
|
||||
|
||||
SYSCONFDIR = @sysconfdir@
|
||||
LOCALSTATEDIR = @localstatedir@
|
||||
+RUNSTATEDIR = @runstatedir@
|
||||
BINDIR = @bindir@
|
||||
SBINDIR = @sbindir@
|
||||
LIBDIR = @libdir@
|
||||
@@ -66,6 +67,7 @@ PROCESS_REPLACE = -e "s+@KRB5RCTMPDIR+$(KRB5RCTMPDIR)+" \
|
||||
-e "s+@MODULEDIR+$(MODULE_DIR)+" \
|
||||
-e "s+@GSSMODULEDIR+$(GSS_MODULE_DIR)+" \
|
||||
-e 's+@LOCALSTATEDIR+$(LOCALSTATEDIR)+' \
|
||||
+ -e 's+@RUNSTATEDIR+$(RUNSTATEDIR)+' \
|
||||
-e 's+@SYSCONFDIR+$(SYSCONFDIR)+' \
|
||||
-e 's+:/etc/krb5.conf:/etc/krb5.conf"+:/etc/krb5.conf"+' \
|
||||
-e 's+"/etc/krb5.conf:/etc/krb5.conf"+"/etc/krb5.conf"+' \
|
||||
diff --git a/src/include/osconf.hin b/src/include/osconf.hin
|
||||
index 90ab86d..871503a 100644
|
||||
--- a/src/include/osconf.hin
|
||||
+++ b/src/include/osconf.hin
|
||||
@@ -59,6 +59,7 @@
|
||||
#define PLUGIN_EXT "@DYNOBJEXT"
|
||||
|
||||
#define KDC_DIR "@LOCALSTATEDIR/krb5kdc"
|
||||
+#define KDC_RUN_DIR "@RUNSTATEDIR/krb5kdc"
|
||||
#define DEFAULT_KDB_FILE KDC_DIR "/principal"
|
||||
#define DEFAULT_KEYFILE_STUB KDC_DIR "/.k5."
|
||||
#define KRB5_DEFAULT_ADMIN_ACL KDC_DIR "/krb5_adm.acl"
|
||||
diff --git a/src/man/Makefile.in b/src/man/Makefile.in
|
||||
index 4dd2448..2b9c892 100644
|
||||
--- a/src/man/Makefile.in
|
||||
+++ b/src/man/Makefile.in
|
||||
@@ -5,6 +5,7 @@ SPHINX_BUILD=sphinx-build
|
||||
GROFF=@GROFF@
|
||||
GROFF_MAN=$(GROFF) -mtty-char -Tascii -mandoc -c
|
||||
localstatedir=@localstatedir@
|
||||
+runstatedir=@runstatedir@
|
||||
sysconfdir=@sysconfdir@
|
||||
DEFCCNAME=@DEFCCNAME@
|
||||
DEFKTNAME=@DEFKTNAME@
|
||||
@@ -44,6 +45,7 @@ $(docsrc)/version.py: $(top_srcdir)/patchlevel.h
|
||||
-e 's|@SBINDIR@|$(SERVER_BINDIR)|g' \
|
||||
-e 's|@LIBDIR@|$(KRB5_LIBDIR)|g' \
|
||||
-e 's|@LOCALSTATEDIR@|$(localstatedir)|g' \
|
||||
+ -e 's|@RUNSTATEDIR@|$(runstatedir)|g' \
|
||||
-e 's|@SYSCONFDIR@|$(sysconfdir)|g' \
|
||||
-e 's|@CCNAME@|$(DEFCCNAME)|g' \
|
||||
-e 's|@KTNAME@|$(DEFKTNAME)|g' \
|
||||
diff --git a/src/plugins/preauth/otp/otp_state.c b/src/plugins/preauth/otp/otp_state.c
|
||||
index a4d7e3b..4643dff 100644
|
||||
--- a/src/plugins/preauth/otp/otp_state.c
|
||||
+++ b/src/plugins/preauth/otp/otp_state.c
|
||||
@@ -40,7 +40,7 @@
|
||||
#endif
|
||||
|
||||
#define DEFAULT_TYPE_NAME "DEFAULT"
|
||||
-#define DEFAULT_SOCKET_FMT KDC_DIR "/%s.socket"
|
||||
+#define DEFAULT_SOCKET_FMT KDC_RUN_DIR "/%s.socket"
|
||||
#define DEFAULT_TIMEOUT 5
|
||||
#define DEFAULT_RETRIES 3
|
||||
#define MAX_SECRET_LEN 1024
|
29
krb5.spec
29
krb5.spec
@ -41,7 +41,7 @@
|
||||
Summary: The Kerberos network authentication system
|
||||
Name: krb5
|
||||
Version: 1.12.1
|
||||
Release: 3%{?dist}
|
||||
Release: 4%{?dist}
|
||||
# Maybe we should explode from the now-available-to-everybody tarball instead?
|
||||
# http://web.mit.edu/kerberos/dist/krb5/1.12/krb5-1.12.1-signed.tar
|
||||
Source0: krb5-%{version}.tar.gz
|
||||
@ -68,6 +68,7 @@ Source34: kadmind.logrotate
|
||||
Source36: kpropd.init
|
||||
Source37: kadmind.init
|
||||
Source38: krb5kdc.init
|
||||
Source39: krb5-krb5kdc.conf
|
||||
|
||||
BuildRequires: cmake
|
||||
# Carry this locally until it's available in a packaged form.
|
||||
@ -98,6 +99,7 @@ Patch138: krb5-master-rcache-acquirecred-leak.patch
|
||||
Patch139: krb5-master-rcache-acquirecred-source.patch
|
||||
Patch140: krb5-master-empty-credstore.patch
|
||||
Patch141: krb5-master-rcache-acquirecred-test.patch
|
||||
Patch142: krb5-master-move-otp-sockets.patch
|
||||
Patch201: 0001-Don-t-try-to-stat-not-on-disk-ccache-residuals.patch
|
||||
Patch202: 0002-Use-an-in-memory-cache-until-we-need-the-target-s.patch
|
||||
Patch203: 0003-Learn-to-destroy-the-ccache-we-re-copying-from.patch
|
||||
@ -344,6 +346,7 @@ ln -s NOTICE LICENSE
|
||||
%patch139 -p1 -b .rcache-acquirecred-source
|
||||
%patch140 -p1 -b .empty-credstore
|
||||
%patch141 -p1 -b .rcache-acquirecred-test
|
||||
%patch142 -p1 -b .move-otp-sockets
|
||||
|
||||
# Take the execute bit off of documentation.
|
||||
chmod -x doc/krb5-protocol/*.txt doc/ccapi/*.html
|
||||
@ -401,6 +404,9 @@ pushd src
|
||||
%if 0%{?compile_default_ccache_name}
|
||||
DEFCCNAME=%{compiled_default_ccache_name}; export DEFCCNAME
|
||||
%endif
|
||||
# Set this so that configure will have a value even if the current version of
|
||||
# autoconf doesn't set one.
|
||||
runstatedir=%{_localstatedir}/run; export runstatedir
|
||||
# Work out the CFLAGS and CPPFLAGS which we intend to use.
|
||||
INCLUDES=-I%{_includedir}/et
|
||||
CFLAGS="`echo $RPM_OPT_FLAGS $DEFINES $INCLUDES -fPIC -fno-strict-aliasing -fstack-protector-all`"
|
||||
@ -451,6 +457,13 @@ CPPFLAGS="`echo $DEFINES $INCLUDES`"
|
||||
make
|
||||
popd
|
||||
|
||||
# Sanity check the KDC_RUN_DIR.
|
||||
configured_kdcrundir=`grep KDC_RUN_DIR src/include/osconf.h | awk '{print $NF}'`
|
||||
configured_kdcrundir=`eval echo $configured_kdcrundir`
|
||||
if test "$configured_kdcrundir" != %{_localstatedir}/run/krb5kdc ; then
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Build the docs.
|
||||
make -C src/doc paths.py version.py
|
||||
cp src/doc/paths.py doc/
|
||||
@ -552,6 +565,9 @@ for wrapper in \
|
||||
%{SOURCE8} ; do
|
||||
install -pm 755 ${wrapper} $RPM_BUILD_ROOT%{_sbindir}/
|
||||
done
|
||||
mkdir -p $RPM_BUILD_ROOT/%{_tmpfilesdir}
|
||||
install -pm 644 %{SOURCE39} $RPM_BUILD_ROOT/%{_tmpfilesdir}/
|
||||
mkdir -p $RPM_BUILD_ROOT/%{_localstatedir}/run/krb5kdc
|
||||
%else
|
||||
mkdir -p $RPM_BUILD_ROOT/etc/rc.d/init.d
|
||||
for init in \
|
||||
@ -825,6 +841,8 @@ exit 0
|
||||
%{_unitdir}/krb5kdc.service
|
||||
%{_unitdir}/kadmin.service
|
||||
%{_unitdir}/kprop.service
|
||||
%{_tmpfilesdir}/krb5-krb5kdc.conf
|
||||
%dir %{_localstatedir}/run/krb5kdc
|
||||
%else
|
||||
/etc/rc.d/init.d/krb5kdc
|
||||
/etc/rc.d/init.d/kadmin
|
||||
@ -998,6 +1016,15 @@ exit 0
|
||||
%{_sbindir}/uuserver
|
||||
|
||||
%changelog
|
||||
* Fri Feb 7 2014 Nalin Dahyabhai <nalin@redhat.com> - 1.12.1-4
|
||||
- pull in patch from master to move the default directory which the KDC uses
|
||||
when computing the socket path for a local OTP daemon from the database
|
||||
directory (/var/kerberos/krb5kdc) to the newly-added run directory
|
||||
(/run/krb5kdc), in line with what we're expecting in 1.13 (RT#7859)
|
||||
- add a tmpfiles.d configuration file to have /run/krb5kdc created at
|
||||
boot-time
|
||||
- own /var/run/krb5kdc
|
||||
|
||||
* Fri Jan 31 2014 Nalin Dahyabhai <nalin@redhat.com> - 1.12.1-3
|
||||
- refresh nss_wrapper and add socket_wrapper to the %%check environment
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user