Created attachment 167671 [details] Patch the mit kerberos ports should include startup scipts; the base system scripts aren't installed if you specify src.conf options to not install base heimdal (why would you if you were installing MIT kerb5, it confuses things). Additionally the startups are different, and while you can abuse many of the startup flags/commands to achieve the desired results some features like pidfiles are missing and very valuable to have. Included is a rough patch, it meets my needs,
You need more than just a kdc. You'll need something similar to this: /usr/local/sbin/krb5kdc && echo -n ' krb5kdc' || { echo echo 'krb5kdc failed to start' } # /usr/local/sbin/krb5kdc -p 7111 -r REDACTED && echo -n ' RED_krb5kdc' echo -n ' kadmind'; /usr/local/sbin/kadmind Also it's possible to run more than one kdc on a single server (see example above), if that server is serving two or more realms. You could do that through a for loop. Additionally, when running a slave it's the following is needed. krb5_prop stream tcp46 nowait root /usr/local/sbin/kpropd kpropd Then propagate using this for each kdc. if [ $# -lt 1 ] then exit 0 fi /usr/local/sbin/kdb5_util dump /var/run/slave_dump for $SLAVE in $* do /usr/local/sbin/kprop -f /var/run/slave_dump $SLAVE done
Something I've considered many times is to install the base rc scripts regardless if base Heimdal is installed. It's not on the top of my list at the moment.
Yeah, I've run a realm for many decades at this point; I'm just in the process of late of doing it a bit more formally and pushing my one-offs and hand modifications upstream to be of use to more people, and get mainlined so I am not constantly redoing things. I think the port should maintain its own set of startup scrips, like openssh does, because they are actually separate implementations and have different feature sets. If base openssh vs ports openssh have their own (being actually the same implementation) these should definitely remain separate IMO.
Is this till relevant?
Yes, I still maintain this independently; you cannot run a mit kdc from the MIT krb5 port (I have updated scripts I can attach which allow running multiple krb5 realms concurrently on a machine (I do this)