From owner-freebsd-doc@freebsd.org Tue Dec 8 19:18:10 2015 Return-Path: Delivered-To: freebsd-doc@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 269B29D4A1B for ; Tue, 8 Dec 2015 19:18:10 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 0B14011B0 for ; Tue, 8 Dec 2015 19:18:10 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id tB8JI9ej021280 for ; Tue, 8 Dec 2015 19:18:09 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-doc@FreeBSD.org Subject: [Bug 205146] [patch] Kerberos section of Handbook is inconsistent with system Date: Tue, 08 Dec 2015 19:18:10 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Documentation X-Bugzilla-Component: Documentation X-Bugzilla-Version: Latest X-Bugzilla-Keywords: patch X-Bugzilla-Severity: Affects Many People X-Bugzilla-Who: kevin@bostoncrypto.com X-Bugzilla-Status: New X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-doc@FreeBSD.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status keywords bug_severity priority component assigned_to reporter attachments.created Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-doc@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Documentation project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Dec 2015 19:18:10 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=205146 Bug ID: 205146 Summary: [patch] Kerberos section of Handbook is inconsistent with system Product: Documentation Version: Latest Hardware: Any OS: Any Status: New Keywords: patch Severity: Affects Many People Priority: --- Component: Documentation Assignee: freebsd-doc@FreeBSD.org Reporter: kevin@bostoncrypto.com Keywords: patch Created attachment 163997 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=163997&action=edit Patch for Security Chapter of Handbook I have found that there are several inconsistencies between the Kerberos setup instructions of the handbook and the behavior of STABLE and CURRENT, due to renamed daemons, rc scripts, etc. Using the rc.conf variables suggested in the Handbook results in the following warnings: "/etc/rc.d/kadmind: WARNING: $kadmind5_server_enable is obsolete. Use $kadmind_enable instead. /etc/rc.d/kadmind: WARNING: $kerberos5_server_enable is obsolete. Use $kdc_enable instead." Furthermore, even attempting to start the service with "service kerberos enable", as suggested in the Handbook, simply fails with "kerberos does not exist in /etc/rc.d or the local startup directories (/usr/local/etc/rc.d)" I believe Bug ID 204788 also complains of at least some of these problems, and I am attaching a patch which I believe fixes at least those issues I mention above. Furthermore, the man page for rc.conf would also appear to be out of date; no mention of the "kdc_enable" option is made, even though that would seem to be the correct way to enable the Heimdal server included in base. However, while the presence of "kerberos5_server_enable" would seem to be outdated, according to warnings as quoted above, the variable "kerberos5_server", which can assign an arbitrary path to a daemon of choice, might keep the presence of this option relevant. A similar argument could be made for "kadmind5_server_enable" and "kadmind5_server". So, while I think "kdc_enable" and "kadmind_enable" should certainly be added to the man page, I am not sure whether they should replace or merely augment the current options. I'll be happy to submit a patch if someone can offer me guidance in this regard. -- You are receiving this mail because: You are the assignee for the bug.