Bug 207670

Summary: security/krb5: [patch] should include startup scripts
Product: Ports & Packages Reporter: david
Component: Individual Port(s)Assignee: Cy Schubert <cy>
Status: Open ---    
Severity: Affects Some People CC: w.schwarzenfeld
Priority: --- Keywords: patch
Version: LatestFlags: bugzilla: maintainer-feedback? (cy)
Hardware: Any   
OS: Any   
Description Flags
Patch none

Description david 2016-03-03 05:18:39 UTC
Created attachment 167671 [details]

the mit kerberos ports should include startup scipts; the base system scripts aren't installed if you specify src.conf options to not install base heimdal (why would you if you were installing MIT kerb5, it confuses things).  Additionally the startups are different, and while you can abuse many of the startup flags/commands to achieve the desired results some features like pidfiles are missing and very valuable to have.

Included is a rough patch, it meets my needs,
Comment 1 Cy Schubert freebsd_committer 2016-03-03 06:18:23 UTC
You need more than just a kdc. You'll need something similar to this:

/usr/local/sbin/krb5kdc && echo -n
' krb5kdc' || {
        echo 'krb5kdc failed to start'
# /usr/local/sbin/krb5kdc -p 7111 -r REDACTED && echo -n ' RED_krb5kdc'
echo -n ' kadmind';     /usr/local/sbin/kadmind

Also it's possible to run more than one kdc on a single server (see example above), if that server is serving two or more realms. You could do that through a for loop.

Additionally, when running a slave it's the following is needed.

krb5_prop stream tcp46	nowait	root	/usr/local/sbin/kpropd	kpropd

Then propagate using this for each kdc.

if [ $# -lt 1 ]
	exit 0

/usr/local/sbin/kdb5_util dump /var/run/slave_dump
for $SLAVE in $*
	/usr/local/sbin/kprop -f /var/run/slave_dump $SLAVE
Comment 2 Cy Schubert freebsd_committer 2016-03-03 14:44:06 UTC
Something I've considered many times is to install the base rc scripts regardless if base Heimdal is installed. It's not on the top of my list at the moment.
Comment 3 david 2016-03-03 15:43:32 UTC
Yeah, I've run a realm for many decades at this point; I'm just in the process of late of doing it a bit more formally and pushing my one-offs and hand modifications upstream to be of use to more people, and get mainlined so I am not constantly redoing things.

I think the port should maintain its own set of startup scrips, like openssh does, because they are actually separate implementations and have different feature sets. If base openssh vs ports openssh have their own (being actually the same implementation) these should definitely remain separate IMO.
Comment 4 Walter Schwarzenfeld freebsd_triage 2018-02-07 14:36:50 UTC
Is this till relevant?
Comment 5 david 2018-03-20 04:38:00 UTC
Yes, I still maintain this independently; you cannot run a mit kdc from the MIT krb5 port (I have updated scripts I can attach which allow running multiple krb5 realms concurrently on a machine (I do this)