Bug 205146

Summary: [patch] Kerberos section of Handbook is inconsistent with system
Product: Documentation Reporter: Kevin Kammer <kevin>
Component: Books & ArticlesAssignee: Jason Helfman <jgh>
Status: Closed FIXED    
Severity: Affects Many People CC: bjk, ike, jgh, scott.loga
Priority: --- Keywords: patch
Version: Latest   
Hardware: Any   
OS: Any   
Attachments:
Description Flags
Patch for Security Chapter of Handbook none

Description Kevin Kammer 2015-12-08 19:18:10 UTC
Created attachment 163997 [details]
Patch for Security Chapter of Handbook

I have found that there are several inconsistencies between the Kerberos
setup instructions of the handbook and the behavior of STABLE and
CURRENT, due to renamed daemons, rc scripts, etc.

Using the rc.conf variables suggested in the Handbook results in the
following warnings:

"/etc/rc.d/kadmind: WARNING: $kadmind5_server_enable is obsolete.  Use
$kadmind_enable instead.
/etc/rc.d/kadmind: WARNING: $kerberos5_server_enable is obsolete.  Use
$kdc_enable instead."

Furthermore, even attempting to start the service with
"service kerberos enable", as suggested in the Handbook, simply fails with
"kerberos does not exist in /etc/rc.d or the local startup
directories (/usr/local/etc/rc.d)"

I believe Bug ID 204788 also complains of at least some of these
problems, and I am attaching a patch which I believe fixes at least those
issues I mention above.

Furthermore, the man page for rc.conf would also appear to be out of 
date; no mention of the "kdc_enable" option is made, even though that
would seem to be the correct way to enable the Heimdal server included
in base.  However, while the presence of "kerberos5_server_enable" would
seem to be outdated, according to warnings as quoted above, the variable
"kerberos5_server", which can assign an arbitrary path to a daemon of
choice, might keep the presence of this option relevant.  A similar 
argument could be made for "kadmind5_server_enable" and 
"kadmind5_server".

So, while I think "kdc_enable" and "kadmind_enable" should certainly be
added to the man page, I am not sure whether they should replace or
merely augment the current options.  I'll be happy to submit a patch if
someone can offer me guidance in this regard.
Comment 1 Benjamin Kaduk freebsd_committer freebsd_triage 2015-12-09 02:34:08 UTC
(In reply to Kevin Kammer from comment #0)

The Handbook attempts to document all supported versions of FreeBSD, and for quite some time after the addition of the kdc_enable and kadmind_enable settings in rc.conf on HEAD, they were not available in the 8.x series which remained in support.  Since the old forms still worked, I ended up not updating the handbook the last time I looked at this issue, since crafting text to cover different behavior on different versions is difficult and can be confusing to the reader.  I think at this point, though, all supported versions can use the new syntax, so we should go ahead with this change; thanks for putting together the patch.

With respect to the manual page, please feel free to compose a patch that uses {kdc,kadmind}_enable to replace the previous versions.  If you do, it should probably go in a separate bug entry.
Comment 2 Kevin Kammer 2015-12-09 20:57:48 UTC
Thank you BJK for examining this issue.

I have added Bug 205168 with a patch for the rc.conf(5) man page.  After looking at the rc.d scripts more carefully, I ended up finding the updated options to add custom paths to daemons (obsoleting kerberos5_server, kadmind5_server, etc) and included them as well.
Comment 3 Jason Helfman freebsd_committer freebsd_triage 2016-02-25 01:08:30 UTC
*** Bug 204788 has been marked as a duplicate of this bug. ***
Comment 4 commit-hook freebsd_committer freebsd_triage 2016-02-26 16:37:26 UTC
A commit references this bug:

Author: jgh
Date: Fri Feb 26 16:37:13 UTC 2016
New revision: 48264
URL: https://svnweb.freebsd.org/changeset/doc/48264

Log:
  - update Kerberos commands

  PR:		205146
  Submitted by:	kevin@bostoncrypto.com
  Approved by:	wblock (mentor)
  Differential Revision:	https://reviews.freebsd.org/D5432

Changes:
  head/en_US.ISO8859-1/books/handbook/security/chapter.xml
Comment 5 Jason Helfman freebsd_committer freebsd_triage 2016-02-26 16:37:42 UTC
Thanks for the report! I've just committed this.
Comment 6 Benedict Reuschling freebsd_committer freebsd_triage 2016-04-23 13:27:14 UTC
*** Bug 205261 has been marked as a duplicate of this bug. ***