Created attachment 163997 [details] Patch for Security Chapter of Handbook I have found that there are several inconsistencies between the Kerberos setup instructions of the handbook and the behavior of STABLE and CURRENT, due to renamed daemons, rc scripts, etc. Using the rc.conf variables suggested in the Handbook results in the following warnings: "/etc/rc.d/kadmind: WARNING: $kadmind5_server_enable is obsolete. Use $kadmind_enable instead. /etc/rc.d/kadmind: WARNING: $kerberos5_server_enable is obsolete. Use $kdc_enable instead." Furthermore, even attempting to start the service with "service kerberos enable", as suggested in the Handbook, simply fails with "kerberos does not exist in /etc/rc.d or the local startup directories (/usr/local/etc/rc.d)" I believe Bug ID 204788 also complains of at least some of these problems, and I am attaching a patch which I believe fixes at least those issues I mention above. Furthermore, the man page for rc.conf would also appear to be out of date; no mention of the "kdc_enable" option is made, even though that would seem to be the correct way to enable the Heimdal server included in base. However, while the presence of "kerberos5_server_enable" would seem to be outdated, according to warnings as quoted above, the variable "kerberos5_server", which can assign an arbitrary path to a daemon of choice, might keep the presence of this option relevant. A similar argument could be made for "kadmind5_server_enable" and "kadmind5_server". So, while I think "kdc_enable" and "kadmind_enable" should certainly be added to the man page, I am not sure whether they should replace or merely augment the current options. I'll be happy to submit a patch if someone can offer me guidance in this regard.
(In reply to Kevin Kammer from comment #0) The Handbook attempts to document all supported versions of FreeBSD, and for quite some time after the addition of the kdc_enable and kadmind_enable settings in rc.conf on HEAD, they were not available in the 8.x series which remained in support. Since the old forms still worked, I ended up not updating the handbook the last time I looked at this issue, since crafting text to cover different behavior on different versions is difficult and can be confusing to the reader. I think at this point, though, all supported versions can use the new syntax, so we should go ahead with this change; thanks for putting together the patch. With respect to the manual page, please feel free to compose a patch that uses {kdc,kadmind}_enable to replace the previous versions. If you do, it should probably go in a separate bug entry.
Thank you BJK for examining this issue. I have added Bug 205168 with a patch for the rc.conf(5) man page. After looking at the rc.d scripts more carefully, I ended up finding the updated options to add custom paths to daemons (obsoleting kerberos5_server, kadmind5_server, etc) and included them as well.
*** Bug 204788 has been marked as a duplicate of this bug. ***
A commit references this bug: Author: jgh Date: Fri Feb 26 16:37:13 UTC 2016 New revision: 48264 URL: https://svnweb.freebsd.org/changeset/doc/48264 Log: - update Kerberos commands PR: 205146 Submitted by: kevin@bostoncrypto.com Approved by: wblock (mentor) Differential Revision: https://reviews.freebsd.org/D5432 Changes: head/en_US.ISO8859-1/books/handbook/security/chapter.xml
Thanks for the report! I've just committed this.
*** Bug 205261 has been marked as a duplicate of this bug. ***