|Summary:||security/krb5: "krb5kdc: cannot initialize realm <REALM>" on boot with local LDAP|
|Product:||Ports & Packages||Reporter:||John W. O'Brien <john>|
|Component:||Individual Port(s)||Assignee:||Cy Schubert <cy>|
|Severity:||Affects Only Me||CC:||cy, delphij, john|
Description John W. O'Brien 2018-07-21 22:26:54 UTC
Synopsis ======== When security/krb5 (-115, in my case) is built with the LDAP option, and then configured to use a local LDAP server, the krb5kdc daemon fails to start on boot with "cannot initialize realm EXAMPLE.COM - see log file for details" because slapd is not yet running. Expected behavior ================= On boot, slapd and kdc both start successfully in that order. Observed behavior ================= On boot, kdc tries to start first and fails, and later slapd starts successfully. After boot, an attempt to start kdc succeeds. Reproducible ============ Always. $ rcorder /etc/rc.d/* /usr/local/etc/rc.d/* 2>/dev/null | egrep "kdc|slapd" /etc/rc.d/kdc /usr/local/etc/rc.d/slapd
Comment 1 John W. O'Brien 2018-07-21 22:30:53 UTC
Adding net/openldap24-server maintainer to CC for situational awareness.
Comment 2 Cy Schubert 2018-07-21 22:44:20 UTC
Put kdc in the BEFORE line of /usr/local/etc/rc.d/slapd.
Comment 3 Cy Schubert 2018-07-21 23:08:28 UTC
Created attachment 195349 [details] openldap24-server fix This patch ensures that slapd is started before kdc.
Comment 4 John W. O'Brien 2018-08-05 17:18:06 UTC
Two weeks has elapsed since attachment 195349 [details] was proposed. However, the patch was not marked as needing maintainer approval, so I'm not sure what the protocol here is for maintainer timeout. In any case, I'm going try to set the flag and let cy@ and delphij@ work it out.
Comment 5 Cy Schubert 2018-08-06 05:17:08 UTC
I'll create a phab revision.
Comment 6 Cy Schubert 2018-08-06 05:18:30 UTC
BTW, did you test the patch?
Comment 8 John W. O'Brien 2018-08-06 11:48:04 UTC
(In reply to Cy Schubert from comment #6) I did. It works.
Comment 9 commit-hook 2018-08-10 02:57:56 UTC
A commit references this bug: Author: cy Date: Fri Aug 10 02:57:05 UTC 2018 New revision: 476803 URL: https://svnweb.freebsd.org/changeset/ports/476803 Log: Ensure that slapd starts before kdc, as the kdc may be configured to require LDAP services. If it is configured to require LDAP and the slapd server is not yet started, the kdc will fail to start. PR: 229939 Approved by: delphij@ (maintainer) MFH: 2018Q3 Differential Revision: https://reviews.freebsd.org/D16602 Changes: head/net/openldap24-server/Makefile head/net/openldap24-server/files/slapd.in
Comment 10 commit-hook 2018-08-14 12:43:10 UTC
A commit references this bug: Author: cy Date: Tue Aug 14 12:42:43 UTC 2018 New revision: 477150 URL: https://svnweb.freebsd.org/changeset/ports/477150 Log: MFH: r476803 Ensure that slapd starts before kdc, as the kdc may be configured to require LDAP services. If it is configured to require LDAP and the slapd server is not yet started, the kdc will fail to start. PR: 229939 Approved by: delphij@ (maintainer) Differential Revision: https://reviews.freebsd.org/D16602 Approved by: portmgr (miwi@) Changes: _U branches/2018Q3/ branches/2018Q3/net/openldap24-server/Makefile branches/2018Q3/net/openldap24-server/files/slapd.in