[Bug 205146] [patch] Kerberos section of Handbook is inconsistent with system

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Tue Dec 8 19:18:10 UTC 2015


https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=205146

            Bug ID: 205146
           Summary: [patch] Kerberos section of Handbook is inconsistent
                    with system
           Product: Documentation
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Keywords: patch
          Severity: Affects Many People
          Priority: ---
         Component: Documentation
          Assignee: freebsd-doc at FreeBSD.org
          Reporter: kevin at bostoncrypto.com
          Keywords: patch

Created attachment 163997
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=163997&action=edit
Patch for Security Chapter of Handbook

I have found that there are several inconsistencies between the Kerberos
setup instructions of the handbook and the behavior of STABLE and
CURRENT, due to renamed daemons, rc scripts, etc.

Using the rc.conf variables suggested in the Handbook results in the
following warnings:

"/etc/rc.d/kadmind: WARNING: $kadmind5_server_enable is obsolete.  Use
$kadmind_enable instead.
/etc/rc.d/kadmind: WARNING: $kerberos5_server_enable is obsolete.  Use
$kdc_enable instead."

Furthermore, even attempting to start the service with
"service kerberos enable", as suggested in the Handbook, simply fails with
"kerberos does not exist in /etc/rc.d or the local startup
directories (/usr/local/etc/rc.d)"

I believe Bug ID 204788 also complains of at least some of these
problems, and I am attaching a patch which I believe fixes at least those
issues I mention above.

Furthermore, the man page for rc.conf would also appear to be out of 
date; no mention of the "kdc_enable" option is made, even though that
would seem to be the correct way to enable the Heimdal server included
in base.  However, while the presence of "kerberos5_server_enable" would
seem to be outdated, according to warnings as quoted above, the variable
"kerberos5_server", which can assign an arbitrary path to a daemon of
choice, might keep the presence of this option relevant.  A similar 
argument could be made for "kadmind5_server_enable" and 
"kadmind5_server".

So, while I think "kdc_enable" and "kadmind_enable" should certainly be
added to the man page, I am not sure whether they should replace or
merely augment the current options.  I'll be happy to submit a patch if
someone can offer me guidance in this regard.

-- 
You are receiving this mail because:
You are the assignee for the bug.


More information about the freebsd-doc mailing list