Bug 229939 - security/krb5: "krb5kdc: cannot initialize realm <REALM>" on boot with local LDAP
Summary: security/krb5: "krb5kdc: cannot initialize realm <REALM>" on boot with local ...
Status: New
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Xin LI
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-07-21 22:26 UTC by John W. O'Brien
Modified: 2018-08-14 12:43 UTC (History)
3 users (show)

See Also:
cy: maintainer-feedback?


Attachments
openldap24-server fix (822 bytes, patch)
2018-07-21 23:08 UTC, Cy Schubert
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description John W. O'Brien 2018-07-21 22:26:54 UTC
Synopsis
========

When security/krb5 (-115, in my case) is built with the LDAP option, and then configured to use a local LDAP server, the krb5kdc daemon fails to start on boot with "cannot initialize realm EXAMPLE.COM - see log file for details" because slapd is not yet running.

Expected behavior
=================

On boot, slapd and kdc both start successfully in that order.

Observed behavior
=================

On boot, kdc tries to start first and fails, and later slapd starts successfully. After boot, an attempt to start kdc succeeds.

Reproducible
============

Always.

$ rcorder /etc/rc.d/* /usr/local/etc/rc.d/* 2>/dev/null | egrep "kdc|slapd"
/etc/rc.d/kdc
/usr/local/etc/rc.d/slapd
Comment 1 John W. O'Brien 2018-07-21 22:30:53 UTC
Adding net/openldap24-server maintainer to CC for situational awareness.
Comment 2 Cy Schubert freebsd_committer 2018-07-21 22:44:20 UTC
Put kdc in the BEFORE line of /usr/local/etc/rc.d/slapd.
Comment 3 Cy Schubert freebsd_committer 2018-07-21 23:08:28 UTC
Created attachment 195349 [details]
openldap24-server fix

This patch ensures that slapd is started before kdc.
Comment 4 John W. O'Brien 2018-08-05 17:18:06 UTC
Two weeks has elapsed since attachment 195349 [details] was proposed. However, the patch was not marked as needing maintainer approval, so I'm not sure what the protocol here is for maintainer timeout. In any case, I'm going try to set the flag and let cy@ and delphij@ work it out.
Comment 5 Cy Schubert freebsd_committer 2018-08-06 05:17:08 UTC
I'll create a phab revision.
Comment 6 Cy Schubert freebsd_committer 2018-08-06 05:18:30 UTC
BTW, did you test the patch?
Comment 7 Cy Schubert freebsd_committer 2018-08-06 06:31:26 UTC
See https://reviews.freebsd.org/D16602.
Comment 8 John W. O'Brien 2018-08-06 11:48:04 UTC
(In reply to Cy Schubert from comment #6)

I did. It works.
Comment 9 commit-hook freebsd_committer 2018-08-10 02:57:56 UTC
A commit references this bug:

Author: cy
Date: Fri Aug 10 02:57:05 UTC 2018
New revision: 476803
URL: https://svnweb.freebsd.org/changeset/ports/476803

Log:
  Ensure that slapd starts before kdc, as the kdc may be configured to
  require LDAP services. If it is configured to require LDAP and the
  slapd server is not yet started, the kdc will fail to start.

  PR:		229939
  Approved by:	delphij@ (maintainer)
  MFH:		2018Q3
  Differential Revision:	https://reviews.freebsd.org/D16602

Changes:
  head/net/openldap24-server/Makefile
  head/net/openldap24-server/files/slapd.in
Comment 10 commit-hook freebsd_committer 2018-08-14 12:43:10 UTC
A commit references this bug:

Author: cy
Date: Tue Aug 14 12:42:43 UTC 2018
New revision: 477150
URL: https://svnweb.freebsd.org/changeset/ports/477150

Log:
  MFH: r476803

  Ensure that slapd starts before kdc, as the kdc may be configured to
  require LDAP services. If it is configured to require LDAP and the
  slapd server is not yet started, the kdc will fail to start.

  PR:		229939
  Approved by:	delphij@ (maintainer)
  Differential Revision:	https://reviews.freebsd.org/D16602
  Approved by:	portmgr (miwi@)

Changes:
_U  branches/2018Q3/
  branches/2018Q3/net/openldap24-server/Makefile
  branches/2018Q3/net/openldap24-server/files/slapd.in