Bug 235757 - security/kstart: rc script starts too early before cleartmp
Summary: security/kstart: rc script starts too early before cleartmp
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Ryan Steinmetz
Keywords: regression
Depends on:
Reported: 2019-02-15 12:19 UTC by Marin Bernard
Modified: 2019-03-18 02:29 UTC (History)
1 user (show)

See Also:
bugzilla: maintainer-feedback? (zi)
koobs: merge-quarterly?


Note You need to log in before you can comment on or make changes to this bug.
Description Marin Bernard 2019-02-15 12:19:48 UTC
Since resolution of bug #225732, security/kstart rc script is run *before* the cleartmp script when clear_tmp_enable="YES".

Security/kstart uses /tmp as its default directory to store Kerberos credential cache files. When clear_tmp_enable="YES", those files are purged by the cleartmp rc script right after kstart created them. Further services relying on kstart are thus unable to perform Kerberos authentication.

The original bug report proposed 2 ways to make security/kstart start earlier. Proposal 2 was finally implemented. I just tested proposal 1 on 12-STABLE, and it fixes the issue.

Note: the original bug report mentions "other daemons that may need Kerberos". It is difficult to test for regressions without a minimal list of dependencies. In my environment, we use security/kstart with net/nss-pam-ldapd-sasl to perform NSS LDAP binds authenticated with GSSAPI.
Comment 1 commit-hook freebsd_committer 2019-03-18 02:29:02 UTC
A commit references this bug:

Author: zi
Date: Mon Mar 18 02:28:11 UTC 2019
New revision: 496119
URL: https://svnweb.freebsd.org/changeset/ports/496119

  - Adjust start order in rc script

  PR:		235757
  Submitted by:	Marin Bernard <marin@olivarim.com>