Bug 207670 - security/krb5: [patch] should include startup scripts
Summary: security/krb5: [patch] should include startup scripts
Status: Open
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Some People
Assignee: Cy Schubert
Keywords: patch
Depends on:
Reported: 2016-03-03 05:18 UTC by david
Modified: 2018-03-20 04:38 UTC (History)
1 user (show)

See Also:
bugzilla: maintainer-feedback? (cy)

Patch (1.46 KB, patch)
2016-03-03 05:18 UTC, david
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description david 2016-03-03 05:18:39 UTC
Created attachment 167671 [details]

the mit kerberos ports should include startup scipts; the base system scripts aren't installed if you specify src.conf options to not install base heimdal (why would you if you were installing MIT kerb5, it confuses things).  Additionally the startups are different, and while you can abuse many of the startup flags/commands to achieve the desired results some features like pidfiles are missing and very valuable to have.

Included is a rough patch, it meets my needs,
Comment 1 Cy Schubert freebsd_committer 2016-03-03 06:18:23 UTC
You need more than just a kdc. You'll need something similar to this:

/usr/local/sbin/krb5kdc && echo -n
' krb5kdc' || {
        echo 'krb5kdc failed to start'
# /usr/local/sbin/krb5kdc -p 7111 -r REDACTED && echo -n ' RED_krb5kdc'
echo -n ' kadmind';     /usr/local/sbin/kadmind

Also it's possible to run more than one kdc on a single server (see example above), if that server is serving two or more realms. You could do that through a for loop.

Additionally, when running a slave it's the following is needed.

krb5_prop stream tcp46	nowait	root	/usr/local/sbin/kpropd	kpropd

Then propagate using this for each kdc.

if [ $# -lt 1 ]
	exit 0

/usr/local/sbin/kdb5_util dump /var/run/slave_dump
for $SLAVE in $*
	/usr/local/sbin/kprop -f /var/run/slave_dump $SLAVE
Comment 2 Cy Schubert freebsd_committer 2016-03-03 14:44:06 UTC
Something I've considered many times is to install the base rc scripts regardless if base Heimdal is installed. It's not on the top of my list at the moment.
Comment 3 david 2016-03-03 15:43:32 UTC
Yeah, I've run a realm for many decades at this point; I'm just in the process of late of doing it a bit more formally and pushing my one-offs and hand modifications upstream to be of use to more people, and get mainlined so I am not constantly redoing things.

I think the port should maintain its own set of startup scrips, like openssh does, because they are actually separate implementations and have different feature sets. If base openssh vs ports openssh have their own (being actually the same implementation) these should definitely remain separate IMO.
Comment 4 Walter Schwarzenfeld freebsd_triage 2018-02-07 14:36:50 UTC
Is this till relevant?
Comment 5 david 2018-03-20 04:38:00 UTC
Yes, I still maintain this independently; you cannot run a mit kdc from the MIT krb5 port (I have updated scripts I can attach which allow running multiple krb5 realms concurrently on a machine (I do this)