Date: Wed, 5 Apr 2023 07:19:58 -0700 From: "Dan Mahoney (Ports)" <freebsd@gushi.org> To: Cy Schubert <Cy.Schubert@cschubert.com> Cc: questions@freebsd.org, cy@freebsd.org Subject: Re: Fixing the "kdc" startup file. Message-ID: <F252BE8B-74D3-41CD-ABC9-FE54E5D8C423@gushi.org> In-Reply-To: <20230405140916.A74D816F@slippy.cwsent.com> References: <48fa4fc5-76c0-3cd1-eda6-bc71dbcd4db3@prime.gushi.org> <20230405140916.A74D816F@slippy.cwsent.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> On Apr 5, 2023, at 7:09 AM, Cy Schubert <Cy.Schubert@cschubert.com> = wrote: >=20 > In message <48fa4fc5-76c0-3cd1-eda6-bc71dbcd4db3@prime.gushi.org>, = "Dan=20 > Mahoney > (Gushi)" writes: >> Hey there all, >>=20 >> I'm hitting the issue where we use MIT krb5kdc at work, but the port=20= >> doesn't provide its own startup file >>=20 >> Previously, I'd been told (I think by the maintainer) to just set=20 >> kdc_program and the like in rc.conf, but that really doesn't solve = things:=20 >> the one in base is sorely lacking (find_proc doesn't work with it, it=20= >> doesn't restart cleanly, it doesn't give you a way to have krb5kdc = specify=20 >> a pid file). >>=20 >> Setting things like: >>=20 >> kdc_pidfile=3D/var/run/krb5kdc.pid >> kdc_args=3D"-P /var/run/krb5kdc.pid" >>=20 >> in rc.conf do nothing because the existing rc.d script doesn't = provide a=20 >> way to override them. >>=20 >> For starters: Heimdal has no pidfile support, bit it could get one if=20= >> launched under daemon(1) -- heimdal doesn't even detach by default -- = the=20 >> rc.d file sets --detach. MIT only creates one if you specify -P, and=20= >> there's no corresponding kdc.conf knob. >>=20 >> While we're at it, >>=20 >> =3D=3D=3D=3D >>=20 >> There's this very old bug that references this, last touched in 2020,=20= >> closed unsuccessful. I want to fix it. >>=20 >> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D197337 >=20 > IIRC this bug the resolution was to install the rc files. >=20 > Plans are in the works to replace Heimdal in base with MIT (through a=20= > staged approach). Any new rc scripts will serve to further confuse an=20= > already confusing (for users) situation. >=20 > A possible interim measure might be new port/package which simply = provides=20 > generic rc scripts for MIT, which could be extended when MIT replaces=20= > heimdal in base. >=20 >>=20 >> =3D=3D=3D=3D >>=20 >> I've written a number of startup files for our own services at work = (we=20 >> use puppet, so it relies on the built-in BSD framework to start, = stop, and=20 >> refresh services cleanly). >>=20 >> If I supplied startup files for mitkdc, mitkadmin, mitkpropd, would = they=20 >> be useful? >=20 > We already have one. >=20 > Historically kpropd has been run from inetd. There is a daemon mode = but=20 > IMO running it through inetd takes fewer resources. >=20 > There is also a kdc shell script to be used as a drop-in replacement = for=20 > heimdal's kdc, accepting the same arguments. >=20 >>=20 >> I'll note, this is not an "urgent" thing. I'm planning to be at = BSDCan.=20 >> If others want to meet me there and hack on this, I'm a chunky guy = with=20 >> blue hair and am hard to miss. >=20 > I have no plans to go to BSDCan this year. Maybe next year. >=20 >>=20 >> -Dan >>=20 >> --=20 >>=20 >> --------Dan Mahoney-------- >> Techie, Sysadmin, WebGeek >> Gushi on efnet/undernet IRC >> FB: fb.com/DanielMahoneyIV >> LI: linkedin.com/in/gushi >> Site: http://www.gushi.org >> --------------------------- >=20 > Can you post the relevant lines in your rc.conf, please. The standard ones: kdc_enable=3D"YES" kdc_program=3D"/usr/local/sbin/kdc" ## these don't do anything useful kdc_pidfile=3D/var/run/krb5kdc.pid kdc_args=3D"-P /var/run/krb5kdc.pid" kdc_procname=3D"krb5kdc" root@k1:/etc/rc.d # service kdc status kdc is not running. root@k1:/etc/rc.d # ps auxwww|grep kdc root 60106 0.0 0.1 17960 8484 - Is 14:06 0:00.08 = /usr/local/sbin/krb5kdc root 60214 0.0 0.0 11288 2596 0 S+ 14:14 0:00.00 grep kdc Note that, even without pid file support, adding this to rc.d/kdc at = least gives you a useful =E2=80=9Cstatus=E2=80=9D command: procname=3D${kdc_procname:-/usr/local/sbin/krb5kdc} root@k1:/etc/rc.d # service kdc status kdc is running as pid 60106. Which, when we need puppet runs to be idempotent, matters. -Dan >=20 >=20 > --=20 > Cheers, > Cy Schubert <Cy.Schubert@cschubert.com> > FreeBSD UNIX: <cy@FreeBSD.org> Web: https://FreeBSD.org > NTP: <cy@nwtime.org> Web: https://nwtime.org >=20 > e^(i*pi)+1=3D0 >=20 >=20 > =C2=80=C2=80=C2=80=C2=80=C2=80=C2=80=C2=80=C2=80=D7=A0
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?F252BE8B-74D3-41CD-ABC9-FE54E5D8C423>