Date: Fri, 15 Feb 2019 12:19:48 +0000 From: bugzilla-noreply@freebsd.org To: ports-bugs@FreeBSD.org Subject: [Bug 235757] security/kstart: rc script starts too early before cleartmp Message-ID: <bug-235757-7788@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D235757 Bug ID: 235757 Summary: security/kstart: rc script starts too early before cleartmp Product: Ports & Packages Version: Latest Hardware: Any OS: Any Status: New Keywords: regression Severity: Affects Only Me Priority: --- Component: Individual Port(s) Assignee: zi@FreeBSD.org Reporter: marin@olivarim.com CC: feld@FreeBSD.org CC: Assignee: zi@FreeBSD.org Flags: maintainer-feedback?(zi@FreeBSD.org) Since resolution of bug #225732, security/kstart rc script is run *before* = the cleartmp script when clear_tmp_enable=3D"YES". Security/kstart uses /tmp as its default directory to store Kerberos creden= tial cache files. When clear_tmp_enable=3D"YES", those files are purged by the cleartmp rc script right after kstart created them. Further services relyin= g on kstart are thus unable to perform Kerberos authentication. The original bug report proposed 2 ways to make security/kstart start earli= er. Proposal 2 was finally implemented. I just tested proposal 1 on 12-STABLE, = and it fixes the issue. Note: the original bug report mentions "other daemons that may need Kerbero= s". It is difficult to test for regressions without a minimal list of dependenc= ies. In my environment, we use security/kstart with net/nss-pam-ldapd-sasl to perform NSS LDAP binds authenticated with GSSAPI. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-235757-7788>