From nobody Wed Apr 05 14:19:58 2023 X-Original-To: questions@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Ps6Gw5TXhz43XVH for ; Wed, 5 Apr 2023 14:20:24 +0000 (UTC) (envelope-from freebsd@gushi.org) Received: from prime.gushi.org (prime.gushi.org [IPv6:2620:137:6000:10::142]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "prime.gushi.org", Issuer "RapidSSL Global TLS RSA4096 SHA256 2022 CA1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Ps6Gv6JLxz3hjG; Wed, 5 Apr 2023 14:20:23 +0000 (UTC) (envelope-from freebsd@gushi.org) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gushi.org header.s=prime2014 header.b=OR1GGZ5B; spf=pass (mx1.freebsd.org: domain of freebsd@gushi.org designates 2620:137:6000:10::142 as permitted sender) smtp.mailfrom=freebsd@gushi.org; dmarc=pass (policy=none) header.from=gushi.org Received: from smtpclient.apple (vpn-us.f.root-servers.org [149.20.8.9]) (authenticated bits=0) by prime.gushi.org (8.16.1/8.16.1) with ESMTPSA id 335EK9VP003063 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 5 Apr 2023 07:20:10 -0700 (PDT) (envelope-from freebsd@gushi.org) DKIM-Filter: OpenDKIM Filter v2.10.3 prime.gushi.org 335EK9VP003063 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gushi.org; s=prime2014; t=1680704410; bh=/NuRVmeuBw+5aufVqzLq5duQSjSpwnoT5w5Wt+YDAcE=; h=Subject:From:In-Reply-To:Date:Cc:References:To; z=Subject:=20Re:=20Fixing=20the=20"kdc"=20startup=20file.|From:=20" Dan=20Mahoney=20(Ports)"=20|In-Reply-To:=20<202 30405140916.A74D816F@slippy.cwsent.com>|Date:=20Wed,=205=20Apr=202 023=2007:19:58=20-0700|Cc:=20questions@freebsd.org,=0D=0A=20cy@fre ebsd.org|References:=20<48fa4fc5-76c0-3cd1-eda6-bc71dbcd4db3@prime .gushi.org>=0D=0A=20<20230405140916.A74D816F@slippy.cwsent.com>|To :=20Cy=20Schubert=20; b=OR1GGZ5BES8uz7dbFW3sUy8qmSmkOScHLm5I3Vp9hkOkpCO4Li8a1GeugtzFOCzEN kqXrUzuj5lsbyRrC301MHXn9tpe5zLCEp7kJNaKyS/WJytIMsiT98x8r+KfFolJzAD wYswhNwNu1IQ0Yrr44mvfVRXy0O0w0IW/2Txm4s3yFfM3AT/FcqidLCAKFvivYxeEC izb4A4/S/dJNp17K61M5dqGr8Oo/IOdihDqBkDhVuXpzzTBjVPnSRNPnAID15UpbFd kNPrABqf965W4EjGAHa745KyEKImShDuuAU2/VKjueSutVGrHP9+Smu36wl75Dk5NI pXn4eDVpp4C5A== X-Authentication-Warning: prime.gushi.org: Host vpn-us.f.root-servers.org [149.20.8.9] claimed to be smtpclient.apple Content-Type: text/plain; charset=utf-8 List-Id: User questions List-Archive: https://lists.freebsd.org/archives/freebsd-questions List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.500.231\)) Subject: Re: Fixing the "kdc" startup file. From: "Dan Mahoney (Ports)" In-Reply-To: <20230405140916.A74D816F@slippy.cwsent.com> Date: Wed, 5 Apr 2023 07:19:58 -0700 Cc: questions@freebsd.org, cy@freebsd.org Content-Transfer-Encoding: quoted-printable Message-Id: References: <48fa4fc5-76c0-3cd1-eda6-bc71dbcd4db3@prime.gushi.org> <20230405140916.A74D816F@slippy.cwsent.com> To: Cy Schubert X-Mailer: Apple Mail (2.3731.500.231) X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.6.4 (prime.gushi.org [149.20.68.142]); Wed, 05 Apr 2023 14:20:19 +0000 (UTC) X-Spamd-Result: default: False [-6.20 / 15.00]; DWL_DNSWL_MED(-2.00)[gushi.org:dkim]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-1.000]; MV_CASE(0.50)[]; RCVD_DKIM_ARC_DNSWL_MED(-0.50)[]; DMARC_POLICY_ALLOW(-0.50)[gushi.org,none]; R_DKIM_ALLOW(-0.20)[gushi.org:s=prime2014]; RCVD_IN_DNSWL_MED(-0.20)[2620:137:6000:10::142:from]; R_SPF_ALLOW(-0.20)[+mx]; MIME_GOOD(-0.10)[text/plain]; MLMMJ_DEST(0.00)[questions@freebsd.org]; TO_MATCH_ENVRCPT_SOME(0.00)[]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; RCVD_VIA_SMTP_AUTH(0.00)[]; ASN(0.00)[asn:393507, ipnet:2620:137:6000::/44, country:US]; MID_RHS_MATCH_FROM(0.00)[]; HAS_XAW(0.00)[]; TO_DN_SOME(0.00)[]; ARC_NA(0.00)[]; DKIM_TRACE(0.00)[gushi.org:+]; MIME_TRACE(0.00)[0:+]; FROM_EQ_ENVFROM(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[] X-Rspamd-Queue-Id: 4Ps6Gv6JLxz3hjG X-Spamd-Bar: ------ X-ThisMailContainsUnwantedMimeParts: N > On Apr 5, 2023, at 7:09 AM, Cy Schubert = wrote: >=20 > In message <48fa4fc5-76c0-3cd1-eda6-bc71dbcd4db3@prime.gushi.org>, = "Dan=20 > Mahoney > (Gushi)" writes: >> Hey there all, >>=20 >> I'm hitting the issue where we use MIT krb5kdc at work, but the port=20= >> doesn't provide its own startup file >>=20 >> Previously, I'd been told (I think by the maintainer) to just set=20 >> kdc_program and the like in rc.conf, but that really doesn't solve = things:=20 >> the one in base is sorely lacking (find_proc doesn't work with it, it=20= >> doesn't restart cleanly, it doesn't give you a way to have krb5kdc = specify=20 >> a pid file). >>=20 >> Setting things like: >>=20 >> kdc_pidfile=3D/var/run/krb5kdc.pid >> kdc_args=3D"-P /var/run/krb5kdc.pid" >>=20 >> in rc.conf do nothing because the existing rc.d script doesn't = provide a=20 >> way to override them. >>=20 >> For starters: Heimdal has no pidfile support, bit it could get one if=20= >> launched under daemon(1) -- heimdal doesn't even detach by default -- = the=20 >> rc.d file sets --detach. MIT only creates one if you specify -P, and=20= >> there's no corresponding kdc.conf knob. >>=20 >> While we're at it, >>=20 >> =3D=3D=3D=3D >>=20 >> There's this very old bug that references this, last touched in 2020,=20= >> closed unsuccessful. I want to fix it. >>=20 >> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D197337 >=20 > IIRC this bug the resolution was to install the rc files. >=20 > Plans are in the works to replace Heimdal in base with MIT (through a=20= > staged approach). Any new rc scripts will serve to further confuse an=20= > already confusing (for users) situation. >=20 > A possible interim measure might be new port/package which simply = provides=20 > generic rc scripts for MIT, which could be extended when MIT replaces=20= > heimdal in base. >=20 >>=20 >> =3D=3D=3D=3D >>=20 >> I've written a number of startup files for our own services at work = (we=20 >> use puppet, so it relies on the built-in BSD framework to start, = stop, and=20 >> refresh services cleanly). >>=20 >> If I supplied startup files for mitkdc, mitkadmin, mitkpropd, would = they=20 >> be useful? >=20 > We already have one. >=20 > Historically kpropd has been run from inetd. There is a daemon mode = but=20 > IMO running it through inetd takes fewer resources. >=20 > There is also a kdc shell script to be used as a drop-in replacement = for=20 > heimdal's kdc, accepting the same arguments. >=20 >>=20 >> I'll note, this is not an "urgent" thing. I'm planning to be at = BSDCan.=20 >> If others want to meet me there and hack on this, I'm a chunky guy = with=20 >> blue hair and am hard to miss. >=20 > I have no plans to go to BSDCan this year. Maybe next year. >=20 >>=20 >> -Dan >>=20 >> --=20 >>=20 >> --------Dan Mahoney-------- >> Techie, Sysadmin, WebGeek >> Gushi on efnet/undernet IRC >> FB: fb.com/DanielMahoneyIV >> LI: linkedin.com/in/gushi >> Site: http://www.gushi.org >> --------------------------- >=20 > Can you post the relevant lines in your rc.conf, please. The standard ones: kdc_enable=3D"YES" kdc_program=3D"/usr/local/sbin/kdc" ## these don't do anything useful kdc_pidfile=3D/var/run/krb5kdc.pid kdc_args=3D"-P /var/run/krb5kdc.pid" kdc_procname=3D"krb5kdc" root@k1:/etc/rc.d # service kdc status kdc is not running. root@k1:/etc/rc.d # ps auxwww|grep kdc root 60106 0.0 0.1 17960 8484 - Is 14:06 0:00.08 = /usr/local/sbin/krb5kdc root 60214 0.0 0.0 11288 2596 0 S+ 14:14 0:00.00 grep kdc Note that, even without pid file support, adding this to rc.d/kdc at = least gives you a useful =E2=80=9Cstatus=E2=80=9D command: procname=3D${kdc_procname:-/usr/local/sbin/krb5kdc} root@k1:/etc/rc.d # service kdc status kdc is running as pid 60106. Which, when we need puppet runs to be idempotent, matters. -Dan >=20 >=20 > --=20 > Cheers, > Cy Schubert > FreeBSD UNIX: Web: https://FreeBSD.org > NTP: Web: https://nwtime.org >=20 > e^(i*pi)+1=3D0 >=20 >=20 > =C2=80=C2=80=C2=80=C2=80=C2=80=C2=80=C2=80=C2=80=D7=A0