Move the default directory for OTP sockets to /var/run/krb5kdc

- pull in patch from master to move the default directory which the KDC uses when computing the socket path for a local OTP daemon from the database directory (/var/kerberos/krb5kdc) to the newly-added run directory (/run/krb5kdc), in line with what we're expecting in 1.13 (RT#7859) - add a tmpfiles.d configuration file to have /run/krb5kdc created at boot-time - own /var/run/krb5kdc
2014-02-07 16:13:29 -05:00 · 2014-02-07 16:13:29 -05:00 · bdb8c58c53
commit bdb8c58c53
parent 99444865b1
3 changed files with 231 additions and 1 deletions
--- a/krb5-krb5kdc.conf
+++ b/krb5-krb5kdc.conf
@ -0,0 +1 @@
+d /var/run/krb5kdc 0755 root root
--- a/krb5-master-move-otp-sockets.patch
+++ b/krb5-master-move-otp-sockets.patch
@ -0,0 +1,202 @@
+Adjusted to apply after the local doublelog patch.
+
+commit 1e4bdcfed2c7bda94d5c135cc32a5993ca032501
+Author: Nathaniel McCallum <npmccallum@redhat.com>
+Date:   Wed Feb 5 10:59:46 2014 -0500
+
+    Move OTP sockets to KDC_RUN_DIR
+    
+    Some system configurations expect Unix-domain sockets to live under
+    /run or /var/run, and not other parts of /var where persistent
+    application state lives.  Define a new directory KDC_RUN_DIR using
+    $runstatedir (new in autoconf 2.70, so fall back to $localstatedir/run
+    if it's not set) and use that for the default socket path.
+    
+    [ghudson@mit.edu: commit message, otp.rst formatting fix]
+    
+    ticket: 7859 (new)
+
+diff --git a/doc/admin/otp.rst b/doc/admin/otp.rst
+index 0abd5ff..f12c36d 100644
+--- a/doc/admin/otp.rst
+++ b/doc/admin/otp.rst
+@@ -23,7 +23,7 @@ the following format::
+ 
+     [otp]
+         <name> = {
+-            server = <host:port or filename> (default: $KDCDIR/<name>.socket)
+            server = <host:port or filename> (default: see below)
+             secret = <filename>
+             timeout = <integer> (default: 5 [seconds])
+             retries = <integer> (default: 3)
+@@ -33,7 +33,8 @@ the following format::
+ If the server field begins with '/', it will be interpreted as a UNIX
+ socket.  Otherwise, it is assumed to be in the format host:port.  When
+ a UNIX domain socket is specified, the secret field is optional and an
+-empty secret is used by default.
+empty secret is used by default.  If the server field is not
+specified, it defaults to |kdcrundir|\ ``/<name>.socket``.
+ 
+ When forwarding the request over RADIUS, by default the principal is
+ used in the User-Name attribute of the RADIUS packet.  The strip_realm
+diff --git a/doc/conf.py b/doc/conf.py
+index f015fc8..bc8b2bd 100644
+--- a/doc/conf.py
+++ b/doc/conf.py
+@@ -231,6 +231,7 @@ if 'mansubs' in tags:
+     sbindir = '``@SBINDIR@``'
+     libdir = '``@LIBDIR@``'
+     localstatedir = '``@LOCALSTATEDIR@``'
+    runstatedir = '``@RUNSTATEDIR@``'
+     sysconfdir = '``@SYSCONFDIR@``'
+     ccache = '``@CCNAME@``'
+     keytab = '``@KTNAME@``'
+@@ -243,6 +244,7 @@ else:
+     sbindir = ':ref:`SBINDIR <paths>`'
+     libdir = ':ref:`LIBDIR <paths>`'
+     localstatedir = ':ref:`LOCALSTATEDIR <paths>`'
+    runstatedir = ':ref:`RUNSTATEDIR <paths>`'
+     sysconfdir = ':ref:`SYSCONFDIR <paths>`'
+     ccache = ':ref:`DEFCCNAME <paths>`'
+     keytab = ':ref:`DEFKTNAME <paths>`'
+@@ -262,6 +264,7 @@ else:
+     rst_epilog += '.. |sbindir| replace:: %s\n' % sbindir
+     rst_epilog += '.. |libdir| replace:: %s\n' % libdir
+     rst_epilog += '.. |kdcdir| replace:: %s\\ ``/krb5kdc``\n' % localstatedir
+    rst_epilog += '.. |kdcrundir| replace:: %s\\ ``/krb5kdc``\n' % runstatedir
+     rst_epilog += '.. |sysconfdir| replace:: %s\n' % sysconfdir
+     rst_epilog += '.. |ccache| replace:: %s\n' % ccache
+     rst_epilog += '.. |keytab| replace:: %s\n' % keytab
+diff --git a/doc/mitK5defaults.rst b/doc/mitK5defaults.rst
+index 89b8f4c..838dabb 100644
+--- a/doc/mitK5defaults.rst
+++ b/doc/mitK5defaults.rst
+@@ -17,6 +17,7 @@ KDC config file :ref:`kdc.conf(5)`          |kdcdir|\ ``/kdc.conf``        **KRB
+ KDC database path (DB2)                     |kdcdir|\ ``/principal``
+ Master key :ref:`stash_definition`          |kdcdir|\ ``/.k5.``\ *realm*
+ Admin server ACL file :ref:`kadm5.acl(5)`   |kdcdir|\ ``/kadm5.acl``
+OTP socket directory                        |kdcrundir|
+ Plugin base directory                       |libdir|\ ``/krb5/plugins``
+ :ref:`rcache_definition` directory          ``/var/tmp``                   **KRB5RCACHEDIR**
+ Master key default enctype                  |defmkey|
+@@ -64,6 +65,7 @@ Description                 Symbolic name  Custom build path            Typical
+ User programs               BINDIR         ``/usr/local/bin``           ``/usr/bin``
+ Libraries and plugins       LIBDIR         ``/usr/local/lib``           ``/usr/lib``
+ Parent of KDC state dir     LOCALSTATEDIR  ``/usr/local/var``           ``/var``
+Parent of KDC runtime dir   RUNSTATEDIR    ``/usr/local/var/run``       ``/run``
+ Administrative programs     SBINDIR        ``/usr/local/sbin``          ``/usr/sbin``
+ Alternate krb5.conf dir     SYSCONFDIR     ``/usr/local/etc``           ``/etc``
+ Default ccache name         DEFCCNAME      ``FILE:/tmp/krb5cc_%{uid}``  ``FILE:/tmp/krb5cc_%{uid}``
+diff --git a/src/Makefile.in b/src/Makefile.in
+index a8bc990..1725093 100644
+--- a/src/Makefile.in
+++ b/src/Makefile.in
+@@ -64,6 +64,7 @@ INSTALLMKDIRS = $(KRB5ROOT) $(KRB5MANROOT) $(KRB5OTHERMKDIRS) \
+ 		$(KRB5_AD_MODULE_DIR) \
+ 		$(KRB5_LIBKRB5_MODULE_DIR) \
+ 		@localstatedir@ @localstatedir@/krb5kdc \
+		@runstatedir@ @runstatedir@/krb5kdc \
+ 		$(KRB5_INCSUBDIRS) $(datadir) $(EXAMPLEDIR) \
+ 		$(PKGCONFIG_DIR)
+ 
+diff --git a/src/configure.in b/src/configure.in
+index 2145d54..c2eaf78 100644
+--- a/src/configure.in
+++ b/src/configure.in
+@@ -1,5 +1,11 @@
+ K5_AC_INIT([aclocal.m4])
+ 
+# If $runstatedir isn't set by autoconf (<2.70), set it manually.
+if test x"$runstatedir" == x; then
+  runstatedir=$localstatedir/run
+fi
+AC_SUBST(runstatedir)
+
+ CONFIG_RULES
+ KRB5_VERSION=K5_VERSION
+ AC_SUBST(KRB5_VERSION)
+diff --git a/src/doc/Makefile.in b/src/doc/Makefile.in
+index a6bb7c5..b07e16a 100644
+--- a/src/doc/Makefile.in
+++ b/src/doc/Makefile.in
+@@ -7,6 +7,7 @@ DOXYGEN=doxygen
+ 
+ docsrc=$(top_srcdir)/../doc
+ localstatedir=@localstatedir@
+runstatedir=@runstatedir@
+ sysconfdir=@sysconfdir@
+ DEFCCNAME=@DEFCCNAME@
+ DEFKTNAME=@DEFKTNAME@
+@@ -113,6 +114,7 @@ paths.py:
+ 	echo 'sbindir = "``$(SERVER_BINDIR)``"' >> $@
+ 	echo 'libdir = "``$(KRB5_LIBDIR)``"' >> $@
+ 	echo 'localstatedir = "``$(localstatedir)``"' >> $@
+	echo 'runstatedir = "``$(runstatedir)``"' >> $@
+ 	echo 'sysconfdir = "``$(sysconfdir)``"' >> $@
+ 	echo 'ccache = "``$(DEFCCNAME)``"' >> $@
+ 	echo 'keytab = "``$(DEFKTNAME)``"' >> $@
+diff --git a/src/include/Makefile.in b/src/include/Makefile.in
+index e13042a..f83ff4e 100644
+--- a/src/include/Makefile.in
+++ b/src/include/Makefile.in
+@@ -53,6 +53,7 @@ autoconf.stamp: $(srcdir)/autoconf.h.in $(BUILDTOP)/config.status
+ 
+ SYSCONFDIR = @sysconfdir@
+ LOCALSTATEDIR = @localstatedir@
+RUNSTATEDIR = @runstatedir@
+ BINDIR = @bindir@
+ SBINDIR = @sbindir@
+ LIBDIR  = @libdir@
+@@ -66,6 +67,7 @@ PROCESS_REPLACE = -e "s+@KRB5RCTMPDIR+$(KRB5RCTMPDIR)+" \
+ 		  -e "s+@MODULEDIR+$(MODULE_DIR)+" \
+ 		  -e "s+@GSSMODULEDIR+$(GSS_MODULE_DIR)+" \
+ 		  -e 's+@LOCALSTATEDIR+$(LOCALSTATEDIR)+' \
+		  -e 's+@RUNSTATEDIR+$(RUNSTATEDIR)+' \
+ 		  -e 's+@SYSCONFDIR+$(SYSCONFDIR)+' \
+ 		  -e 's+:/etc/krb5.conf:/etc/krb5.conf"+:/etc/krb5.conf"+' \
+ 		  -e 's+"/etc/krb5.conf:/etc/krb5.conf"+"/etc/krb5.conf"+' \
+diff --git a/src/include/osconf.hin b/src/include/osconf.hin
+index 90ab86d..871503a 100644
+--- a/src/include/osconf.hin
+++ b/src/include/osconf.hin
+@@ -59,6 +59,7 @@
+ #define PLUGIN_EXT              "@DYNOBJEXT"
+ 
+ #define KDC_DIR                 "@LOCALSTATEDIR/krb5kdc"
+#define KDC_RUN_DIR             "@RUNSTATEDIR/krb5kdc"
+ #define DEFAULT_KDB_FILE        KDC_DIR "/principal"
+ #define DEFAULT_KEYFILE_STUB    KDC_DIR "/.k5."
+ #define KRB5_DEFAULT_ADMIN_ACL  KDC_DIR "/krb5_adm.acl"
+diff --git a/src/man/Makefile.in b/src/man/Makefile.in
+index 4dd2448..2b9c892 100644
+--- a/src/man/Makefile.in
+++ b/src/man/Makefile.in
+@@ -5,6 +5,7 @@ SPHINX_BUILD=sphinx-build
+ GROFF=@GROFF@
+ GROFF_MAN=$(GROFF) -mtty-char -Tascii -mandoc -c
+ localstatedir=@localstatedir@
+runstatedir=@runstatedir@
+ sysconfdir=@sysconfdir@
+ DEFCCNAME=@DEFCCNAME@
+ DEFKTNAME=@DEFKTNAME@
+@@ -44,6 +45,7 @@ $(docsrc)/version.py: $(top_srcdir)/patchlevel.h
+ 	    -e 's|@SBINDIR@|$(SERVER_BINDIR)|g' \
+ 	    -e 's|@LIBDIR@|$(KRB5_LIBDIR)|g' \
+ 	    -e 's|@LOCALSTATEDIR@|$(localstatedir)|g' \
+	    -e 's|@RUNSTATEDIR@|$(runstatedir)|g' \
+ 	    -e 's|@SYSCONFDIR@|$(sysconfdir)|g' \
+ 	    -e 's|@CCNAME@|$(DEFCCNAME)|g' \
+ 	    -e 's|@KTNAME@|$(DEFKTNAME)|g' \
+diff --git a/src/plugins/preauth/otp/otp_state.c b/src/plugins/preauth/otp/otp_state.c
+index a4d7e3b..4643dff 100644
+--- a/src/plugins/preauth/otp/otp_state.c
+++ b/src/plugins/preauth/otp/otp_state.c
+@@ -40,7 +40,7 @@
+ #endif
+ 
+ #define DEFAULT_TYPE_NAME "DEFAULT"
+-#define DEFAULT_SOCKET_FMT KDC_DIR "/%s.socket"
+#define DEFAULT_SOCKET_FMT KDC_RUN_DIR "/%s.socket"
+ #define DEFAULT_TIMEOUT 5
+ #define DEFAULT_RETRIES 3
+ #define MAX_SECRET_LEN 1024
--- a/krb5.spec
+++ b/krb5.spec
@ -41,7 +41,7 @@
 Summary: The Kerberos network authentication system
 Name: krb5
 Version: 1.12.1
-Release: 3%{?dist}
+Release: 4%{?dist}
 # Maybe we should explode from the now-available-to-everybody tarball instead?
 # http://web.mit.edu/kerberos/dist/krb5/1.12/krb5-1.12.1-signed.tar
 Source0: krb5-%{version}.tar.gz
@ -68,6 +68,7 @@ Source34: kadmind.logrotate
 Source36: kpropd.init
 Source37: kadmind.init
 Source38: krb5kdc.init
+Source39: krb5-krb5kdc.conf

 BuildRequires: cmake
 # Carry this locally until it's available in a packaged form.
@ -98,6 +99,7 @@ Patch138: krb5-master-rcache-acquirecred-leak.patch
 Patch139: krb5-master-rcache-acquirecred-source.patch
 Patch140: krb5-master-empty-credstore.patch
 Patch141: krb5-master-rcache-acquirecred-test.patch
+Patch142: krb5-master-move-otp-sockets.patch
 Patch201: 0001-Don-t-try-to-stat-not-on-disk-ccache-residuals.patch
 Patch202: 0002-Use-an-in-memory-cache-until-we-need-the-target-s.patch
 Patch203: 0003-Learn-to-destroy-the-ccache-we-re-copying-from.patch
@ -344,6 +346,7 @@ ln -s NOTICE LICENSE
 %patch139 -p1 -b .rcache-acquirecred-source
 %patch140 -p1 -b .empty-credstore
 %patch141 -p1 -b .rcache-acquirecred-test
+%patch142 -p1 -b .move-otp-sockets

 # Take the execute bit off of documentation.
 chmod -x doc/krb5-protocol/*.txt doc/ccapi/*.html
@ -401,6 +404,9 @@ pushd src
 %if 0%{?compile_default_ccache_name}
 DEFCCNAME=%{compiled_default_ccache_name}; export DEFCCNAME
 %endif
+# Set this so that configure will have a value even if the current version of
+# autoconf doesn't set one.
+runstatedir=%{_localstatedir}/run; export runstatedir
 # Work out the CFLAGS and CPPFLAGS which we intend to use.
 INCLUDES=-I%{_includedir}/et
 CFLAGS="`echo $RPM_OPT_FLAGS $DEFINES $INCLUDES -fPIC -fno-strict-aliasing -fstack-protector-all`"
@ -451,6 +457,13 @@ CPPFLAGS="`echo $DEFINES $INCLUDES`"
 make
 popd

+# Sanity check the KDC_RUN_DIR.
+configured_kdcrundir=`grep KDC_RUN_DIR src/include/osconf.h | awk '{print $NF}'`
+configured_kdcrundir=`eval echo $configured_kdcrundir`
+if test "$configured_kdcrundir" != %{_localstatedir}/run/krb5kdc ; then
+	exit 1
+fi
+
 # Build the docs.
 make -C src/doc paths.py version.py
 cp src/doc/paths.py doc/
@ -552,6 +565,9 @@ for wrapper in \
 	%{SOURCE8} ; do
 	install -pm 755 ${wrapper} $RPM_BUILD_ROOT%{_sbindir}/
 done
+mkdir -p $RPM_BUILD_ROOT/%{_tmpfilesdir}
+install -pm 644 %{SOURCE39} $RPM_BUILD_ROOT/%{_tmpfilesdir}/
+mkdir -p $RPM_BUILD_ROOT/%{_localstatedir}/run/krb5kdc
 %else
 mkdir -p $RPM_BUILD_ROOT/etc/rc.d/init.d
 for init in \
@ -825,6 +841,8 @@ exit 0
 %{_unitdir}/krb5kdc.service
 %{_unitdir}/kadmin.service
 %{_unitdir}/kprop.service
+%{_tmpfilesdir}/krb5-krb5kdc.conf
+%dir %{_localstatedir}/run/krb5kdc
 %else
 /etc/rc.d/init.d/krb5kdc
 /etc/rc.d/init.d/kadmin
@ -998,6 +1016,15 @@ exit 0
 %{_sbindir}/uuserver

 %changelog
+* Fri Feb  7 2014 Nalin Dahyabhai <nalin@redhat.com> - 1.12.1-4
+- pull in patch from master to move the default directory which the KDC uses
+  when computing the socket path for a local OTP daemon from the database
+  directory (/var/kerberos/krb5kdc) to the newly-added run directory
+  (/run/krb5kdc), in line with what we're expecting in 1.13 (RT#7859)
+- add a tmpfiles.d configuration file to have /run/krb5kdc created at
+  boot-time
+- own /var/run/krb5kdc
+
 * Fri Jan 31 2014 Nalin Dahyabhai <nalin@redhat.com> - 1.12.1-3
 - refresh nss_wrapper and add socket_wrapper to the %%check environment