Re: Fixing the "kdc" startup file.
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 05 Apr 2023 14:19:58 UTC
> On Apr 5, 2023, at 7:09 AM, Cy Schubert <Cy.Schubert@cschubert.com> wrote:
>
> In message <48fa4fc5-76c0-3cd1-eda6-bc71dbcd4db3@prime.gushi.org>, "Dan
> Mahoney
> (Gushi)" writes:
>> Hey there all,
>>
>> I'm hitting the issue where we use MIT krb5kdc at work, but the port
>> doesn't provide its own startup file
>>
>> Previously, I'd been told (I think by the maintainer) to just set
>> kdc_program and the like in rc.conf, but that really doesn't solve things:
>> the one in base is sorely lacking (find_proc doesn't work with it, it
>> doesn't restart cleanly, it doesn't give you a way to have krb5kdc specify
>> a pid file).
>>
>> Setting things like:
>>
>> kdc_pidfile=/var/run/krb5kdc.pid
>> kdc_args="-P /var/run/krb5kdc.pid"
>>
>> in rc.conf do nothing because the existing rc.d script doesn't provide a
>> way to override them.
>>
>> For starters: Heimdal has no pidfile support, bit it could get one if
>> launched under daemon(1) -- heimdal doesn't even detach by default -- the
>> rc.d file sets --detach. MIT only creates one if you specify -P, and
>> there's no corresponding kdc.conf knob.
>>
>> While we're at it,
>>
>> ====
>>
>> There's this very old bug that references this, last touched in 2020,
>> closed unsuccessful. I want to fix it.
>>
>> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=197337
>
> IIRC this bug the resolution was to install the rc files.
>
> Plans are in the works to replace Heimdal in base with MIT (through a
> staged approach). Any new rc scripts will serve to further confuse an
> already confusing (for users) situation.
>
> A possible interim measure might be new port/package which simply provides
> generic rc scripts for MIT, which could be extended when MIT replaces
> heimdal in base.
>
>>
>> ====
>>
>> I've written a number of startup files for our own services at work (we
>> use puppet, so it relies on the built-in BSD framework to start, stop, and
>> refresh services cleanly).
>>
>> If I supplied startup files for mitkdc, mitkadmin, mitkpropd, would they
>> be useful?
>
> We already have one.
>
> Historically kpropd has been run from inetd. There is a daemon mode but
> IMO running it through inetd takes fewer resources.
>
> There is also a kdc shell script to be used as a drop-in replacement for
> heimdal's kdc, accepting the same arguments.
>
>>
>> I'll note, this is not an "urgent" thing. I'm planning to be at BSDCan.
>> If others want to meet me there and hack on this, I'm a chunky guy with
>> blue hair and am hard to miss.
>
> I have no plans to go to BSDCan this year. Maybe next year.
>
>>
>> -Dan
>>
>> --
>>
>> --------Dan Mahoney--------
>> Techie, Sysadmin, WebGeek
>> Gushi on efnet/undernet IRC
>> FB: fb.com/DanielMahoneyIV
>> LI: linkedin.com/in/gushi
>> Site: http://www.gushi.org
>> ---------------------------
>
> Can you post the relevant lines in your rc.conf, please.
The standard ones:
kdc_enable="YES"
kdc_program="/usr/local/sbin/kdc"
## these don't do anything useful
kdc_pidfile=/var/run/krb5kdc.pid
kdc_args="-P /var/run/krb5kdc.pid"
kdc_procname="krb5kdc"
root@k1:/etc/rc.d # service kdc status
kdc is not running.
root@k1:/etc/rc.d # ps auxwww|grep kdc
root 60106 0.0 0.1 17960 8484 - Is 14:06 0:00.08 /usr/local/sbin/krb5kdc
root 60214 0.0 0.0 11288 2596 0 S+ 14:14 0:00.00 grep kdc
Note that, even without pid file support, adding this to rc.d/kdc at least gives you a useful “status” command:
procname=${kdc_procname:-/usr/local/sbin/krb5kdc}
root@k1:/etc/rc.d # service kdc status
kdc is running as pid 60106.
Which, when we need puppet runs to be idempotent, matters.
-Dan
>
>
> --
> Cheers,
> Cy Schubert <Cy.Schubert@cschubert.com>
> FreeBSD UNIX: <cy@FreeBSD.org> Web: https://FreeBSD.org
> NTP: <cy@nwtime.org> Web: https://nwtime.org
>
> e^(i*pi)+1=0
>
>
> נ