From bdb8c58c53aa3d167eec18e393b2de47d99d634f Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai Date: Fri, 7 Feb 2014 16:13:29 -0500 Subject: Move the default directory for OTP sockets to /var/run/krb5kdc - pull in patch from master to move the default directory which the KDC uses when computing the socket path for a local OTP daemon from the database directory (/var/kerberos/krb5kdc) to the newly-added run directory (/run/krb5kdc), in line with what we're expecting in 1.13 (RT#7859) - add a tmpfiles.d configuration file to have /run/krb5kdc created at boot-time - own /var/run/krb5kdc --- krb5-krb5kdc.conf | 1 + krb5-master-move-otp-sockets.patch | 202 +++++++++++++++++++++++++++++++++++++ krb5.spec | 29 +++++- 3 files changed, 231 insertions(+), 1 deletion(-) create mode 100644 krb5-krb5kdc.conf create mode 100644 krb5-master-move-otp-sockets.patch diff --git a/krb5-krb5kdc.conf b/krb5-krb5kdc.conf new file mode 100644 index 0000000..eadeb51 --- /dev/null +++ b/krb5-krb5kdc.conf @@ -0,0 +1 @@ +d /var/run/krb5kdc 0755 root root diff --git a/krb5-master-move-otp-sockets.patch b/krb5-master-move-otp-sockets.patch new file mode 100644 index 0000000..4f7bdac --- /dev/null +++ b/krb5-master-move-otp-sockets.patch @@ -0,0 +1,202 @@ +Adjusted to apply after the local doublelog patch. + +commit 1e4bdcfed2c7bda94d5c135cc32a5993ca032501 +Author: Nathaniel McCallum +Date: Wed Feb 5 10:59:46 2014 -0500 + + Move OTP sockets to KDC_RUN_DIR + + Some system configurations expect Unix-domain sockets to live under + /run or /var/run, and not other parts of /var where persistent + application state lives. Define a new directory KDC_RUN_DIR using + $runstatedir (new in autoconf 2.70, so fall back to $localstatedir/run + if it's not set) and use that for the default socket path. + + [ghudson@mit.edu: commit message, otp.rst formatting fix] + + ticket: 7859 (new) + +diff --git a/doc/admin/otp.rst b/doc/admin/otp.rst +index 0abd5ff..f12c36d 100644 +--- a/doc/admin/otp.rst ++++ b/doc/admin/otp.rst +@@ -23,7 +23,7 @@ the following format:: + + [otp] + = { +- server = (default: $KDCDIR/.socket) ++ server = (default: see below) + secret = + timeout = (default: 5 [seconds]) + retries = (default: 3) +@@ -33,7 +33,8 @@ the following format:: + If the server field begins with '/', it will be interpreted as a UNIX + socket. Otherwise, it is assumed to be in the format host:port. When + a UNIX domain socket is specified, the secret field is optional and an +-empty secret is used by default. ++empty secret is used by default. If the server field is not ++specified, it defaults to |kdcrundir|\ ``/.socket``. + + When forwarding the request over RADIUS, by default the principal is + used in the User-Name attribute of the RADIUS packet. The strip_realm +diff --git a/doc/conf.py b/doc/conf.py +index f015fc8..bc8b2bd 100644 +--- a/doc/conf.py ++++ b/doc/conf.py +@@ -231,6 +231,7 @@ if 'mansubs' in tags: + sbindir = '``@SBINDIR@``' + libdir = '``@LIBDIR@``' + localstatedir = '``@LOCALSTATEDIR@``' ++ runstatedir = '``@RUNSTATEDIR@``' + sysconfdir = '``@SYSCONFDIR@``' + ccache = '``@CCNAME@``' + keytab = '``@KTNAME@``' +@@ -243,6 +244,7 @@ else: + sbindir = ':ref:`SBINDIR `' + libdir = ':ref:`LIBDIR `' + localstatedir = ':ref:`LOCALSTATEDIR `' ++ runstatedir = ':ref:`RUNSTATEDIR `' + sysconfdir = ':ref:`SYSCONFDIR `' + ccache = ':ref:`DEFCCNAME `' + keytab = ':ref:`DEFKTNAME `' +@@ -262,6 +264,7 @@ else: + rst_epilog += '.. |sbindir| replace:: %s\n' % sbindir + rst_epilog += '.. |libdir| replace:: %s\n' % libdir + rst_epilog += '.. |kdcdir| replace:: %s\\ ``/krb5kdc``\n' % localstatedir ++ rst_epilog += '.. |kdcrundir| replace:: %s\\ ``/krb5kdc``\n' % runstatedir + rst_epilog += '.. |sysconfdir| replace:: %s\n' % sysconfdir + rst_epilog += '.. |ccache| replace:: %s\n' % ccache + rst_epilog += '.. |keytab| replace:: %s\n' % keytab +diff --git a/doc/mitK5defaults.rst b/doc/mitK5defaults.rst +index 89b8f4c..838dabb 100644 +--- a/doc/mitK5defaults.rst ++++ b/doc/mitK5defaults.rst +@@ -17,6 +17,7 @@ KDC config file :ref:`kdc.conf(5)` |kdcdir|\ ``/kdc.conf`` **KRB + KDC database path (DB2) |kdcdir|\ ``/principal`` + Master key :ref:`stash_definition` |kdcdir|\ ``/.k5.``\ *realm* + Admin server ACL file :ref:`kadm5.acl(5)` |kdcdir|\ ``/kadm5.acl`` ++OTP socket directory |kdcrundir| + Plugin base directory |libdir|\ ``/krb5/plugins`` + :ref:`rcache_definition` directory ``/var/tmp`` **KRB5RCACHEDIR** + Master key default enctype |defmkey| +@@ -64,6 +65,7 @@ Description Symbolic name Custom build path Typical + User programs BINDIR ``/usr/local/bin`` ``/usr/bin`` + Libraries and plugins LIBDIR ``/usr/local/lib`` ``/usr/lib`` + Parent of KDC state dir LOCALSTATEDIR ``/usr/local/var`` ``/var`` ++Parent of KDC runtime dir RUNSTATEDIR ``/usr/local/var/run`` ``/run`` + Administrative programs SBINDIR ``/usr/local/sbin`` ``/usr/sbin`` + Alternate krb5.conf dir SYSCONFDIR ``/usr/local/etc`` ``/etc`` + Default ccache name DEFCCNAME ``FILE:/tmp/krb5cc_%{uid}`` ``FILE:/tmp/krb5cc_%{uid}`` +diff --git a/src/Makefile.in b/src/Makefile.in +index a8bc990..1725093 100644 +--- a/src/Makefile.in ++++ b/src/Makefile.in +@@ -64,6 +64,7 @@ INSTALLMKDIRS = $(KRB5ROOT) $(KRB5MANROOT) $(KRB5OTHERMKDIRS) \ + $(KRB5_AD_MODULE_DIR) \ + $(KRB5_LIBKRB5_MODULE_DIR) \ + @localstatedir@ @localstatedir@/krb5kdc \ ++ @runstatedir@ @runstatedir@/krb5kdc \ + $(KRB5_INCSUBDIRS) $(datadir) $(EXAMPLEDIR) \ + $(PKGCONFIG_DIR) + +diff --git a/src/configure.in b/src/configure.in +index 2145d54..c2eaf78 100644 +--- a/src/configure.in ++++ b/src/configure.in +@@ -1,5 +1,11 @@ + K5_AC_INIT([aclocal.m4]) + ++# If $runstatedir isn't set by autoconf (<2.70), set it manually. ++if test x"$runstatedir" == x; then ++ runstatedir=$localstatedir/run ++fi ++AC_SUBST(runstatedir) ++ + CONFIG_RULES + KRB5_VERSION=K5_VERSION + AC_SUBST(KRB5_VERSION) +diff --git a/src/doc/Makefile.in b/src/doc/Makefile.in +index a6bb7c5..b07e16a 100644 +--- a/src/doc/Makefile.in ++++ b/src/doc/Makefile.in +@@ -7,6 +7,7 @@ DOXYGEN=doxygen + + docsrc=$(top_srcdir)/../doc + localstatedir=@localstatedir@ ++runstatedir=@runstatedir@ + sysconfdir=@sysconfdir@ + DEFCCNAME=@DEFCCNAME@ + DEFKTNAME=@DEFKTNAME@ +@@ -113,6 +114,7 @@ paths.py: + echo 'sbindir = "``$(SERVER_BINDIR)``"' >> $@ + echo 'libdir = "``$(KRB5_LIBDIR)``"' >> $@ + echo 'localstatedir = "``$(localstatedir)``"' >> $@ ++ echo 'runstatedir = "``$(runstatedir)``"' >> $@ + echo 'sysconfdir = "``$(sysconfdir)``"' >> $@ + echo 'ccache = "``$(DEFCCNAME)``"' >> $@ + echo 'keytab = "``$(DEFKTNAME)``"' >> $@ +diff --git a/src/include/Makefile.in b/src/include/Makefile.in +index e13042a..f83ff4e 100644 +--- a/src/include/Makefile.in ++++ b/src/include/Makefile.in +@@ -53,6 +53,7 @@ autoconf.stamp: $(srcdir)/autoconf.h.in $(BUILDTOP)/config.status + + SYSCONFDIR = @sysconfdir@ + LOCALSTATEDIR = @localstatedir@ ++RUNSTATEDIR = @runstatedir@ + BINDIR = @bindir@ + SBINDIR = @sbindir@ + LIBDIR = @libdir@ +@@ -66,6 +67,7 @@ PROCESS_REPLACE = -e "s+@KRB5RCTMPDIR+$(KRB5RCTMPDIR)+" \ + -e "s+@MODULEDIR+$(MODULE_DIR)+" \ + -e "s+@GSSMODULEDIR+$(GSS_MODULE_DIR)+" \ + -e 's+@LOCALSTATEDIR+$(LOCALSTATEDIR)+' \ ++ -e 's+@RUNSTATEDIR+$(RUNSTATEDIR)+' \ + -e 's+@SYSCONFDIR+$(SYSCONFDIR)+' \ + -e 's+:/etc/krb5.conf:/etc/krb5.conf"+:/etc/krb5.conf"+' \ + -e 's+"/etc/krb5.conf:/etc/krb5.conf"+"/etc/krb5.conf"+' \ +diff --git a/src/include/osconf.hin b/src/include/osconf.hin +index 90ab86d..871503a 100644 +--- a/src/include/osconf.hin ++++ b/src/include/osconf.hin +@@ -59,6 +59,7 @@ + #define PLUGIN_EXT "@DYNOBJEXT" + + #define KDC_DIR "@LOCALSTATEDIR/krb5kdc" ++#define KDC_RUN_DIR "@RUNSTATEDIR/krb5kdc" + #define DEFAULT_KDB_FILE KDC_DIR "/principal" + #define DEFAULT_KEYFILE_STUB KDC_DIR "/.k5." + #define KRB5_DEFAULT_ADMIN_ACL KDC_DIR "/krb5_adm.acl" +diff --git a/src/man/Makefile.in b/src/man/Makefile.in +index 4dd2448..2b9c892 100644 +--- a/src/man/Makefile.in ++++ b/src/man/Makefile.in +@@ -5,6 +5,7 @@ SPHINX_BUILD=sphinx-build + GROFF=@GROFF@ + GROFF_MAN=$(GROFF) -mtty-char -Tascii -mandoc -c + localstatedir=@localstatedir@ ++runstatedir=@runstatedir@ + sysconfdir=@sysconfdir@ + DEFCCNAME=@DEFCCNAME@ + DEFKTNAME=@DEFKTNAME@ +@@ -44,6 +45,7 @@ $(docsrc)/version.py: $(top_srcdir)/patchlevel.h + -e 's|@SBINDIR@|$(SERVER_BINDIR)|g' \ + -e 's|@LIBDIR@|$(KRB5_LIBDIR)|g' \ + -e 's|@LOCALSTATEDIR@|$(localstatedir)|g' \ ++ -e 's|@RUNSTATEDIR@|$(runstatedir)|g' \ + -e 's|@SYSCONFDIR@|$(sysconfdir)|g' \ + -e 's|@CCNAME@|$(DEFCCNAME)|g' \ + -e 's|@KTNAME@|$(DEFKTNAME)|g' \ +diff --git a/src/plugins/preauth/otp/otp_state.c b/src/plugins/preauth/otp/otp_state.c +index a4d7e3b..4643dff 100644 +--- a/src/plugins/preauth/otp/otp_state.c ++++ b/src/plugins/preauth/otp/otp_state.c +@@ -40,7 +40,7 @@ + #endif + + #define DEFAULT_TYPE_NAME "DEFAULT" +-#define DEFAULT_SOCKET_FMT KDC_DIR "/%s.socket" ++#define DEFAULT_SOCKET_FMT KDC_RUN_DIR "/%s.socket" + #define DEFAULT_TIMEOUT 5 + #define DEFAULT_RETRIES 3 + #define MAX_SECRET_LEN 1024 diff --git a/krb5.spec b/krb5.spec index 440e886..eef7a84 100644 --- a/krb5.spec +++ b/krb5.spec @@ -41,7 +41,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.12.1 -Release: 3%{?dist} +Release: 4%{?dist} # Maybe we should explode from the now-available-to-everybody tarball instead? # http://web.mit.edu/kerberos/dist/krb5/1.12/krb5-1.12.1-signed.tar Source0: krb5-%{version}.tar.gz @@ -68,6 +68,7 @@ Source34: kadmind.logrotate Source36: kpropd.init Source37: kadmind.init Source38: krb5kdc.init +Source39: krb5-krb5kdc.conf BuildRequires: cmake # Carry this locally until it's available in a packaged form. @@ -98,6 +99,7 @@ Patch138: krb5-master-rcache-acquirecred-leak.patch Patch139: krb5-master-rcache-acquirecred-source.patch Patch140: krb5-master-empty-credstore.patch Patch141: krb5-master-rcache-acquirecred-test.patch +Patch142: krb5-master-move-otp-sockets.patch Patch201: 0001-Don-t-try-to-stat-not-on-disk-ccache-residuals.patch Patch202: 0002-Use-an-in-memory-cache-until-we-need-the-target-s.patch Patch203: 0003-Learn-to-destroy-the-ccache-we-re-copying-from.patch @@ -344,6 +346,7 @@ ln -s NOTICE LICENSE %patch139 -p1 -b .rcache-acquirecred-source %patch140 -p1 -b .empty-credstore %patch141 -p1 -b .rcache-acquirecred-test +%patch142 -p1 -b .move-otp-sockets # Take the execute bit off of documentation. chmod -x doc/krb5-protocol/*.txt doc/ccapi/*.html @@ -401,6 +404,9 @@ pushd src %if 0%{?compile_default_ccache_name} DEFCCNAME=%{compiled_default_ccache_name}; export DEFCCNAME %endif +# Set this so that configure will have a value even if the current version of +# autoconf doesn't set one. +runstatedir=%{_localstatedir}/run; export runstatedir # Work out the CFLAGS and CPPFLAGS which we intend to use. INCLUDES=-I%{_includedir}/et CFLAGS="`echo $RPM_OPT_FLAGS $DEFINES $INCLUDES -fPIC -fno-strict-aliasing -fstack-protector-all`" @@ -451,6 +457,13 @@ CPPFLAGS="`echo $DEFINES $INCLUDES`" make popd +# Sanity check the KDC_RUN_DIR. +configured_kdcrundir=`grep KDC_RUN_DIR src/include/osconf.h | awk '{print $NF}'` +configured_kdcrundir=`eval echo $configured_kdcrundir` +if test "$configured_kdcrundir" != %{_localstatedir}/run/krb5kdc ; then + exit 1 +fi + # Build the docs. make -C src/doc paths.py version.py cp src/doc/paths.py doc/ @@ -552,6 +565,9 @@ for wrapper in \ %{SOURCE8} ; do install -pm 755 ${wrapper} $RPM_BUILD_ROOT%{_sbindir}/ done +mkdir -p $RPM_BUILD_ROOT/%{_tmpfilesdir} +install -pm 644 %{SOURCE39} $RPM_BUILD_ROOT/%{_tmpfilesdir}/ +mkdir -p $RPM_BUILD_ROOT/%{_localstatedir}/run/krb5kdc %else mkdir -p $RPM_BUILD_ROOT/etc/rc.d/init.d for init in \ @@ -825,6 +841,8 @@ exit 0 %{_unitdir}/krb5kdc.service %{_unitdir}/kadmin.service %{_unitdir}/kprop.service +%{_tmpfilesdir}/krb5-krb5kdc.conf +%dir %{_localstatedir}/run/krb5kdc %else /etc/rc.d/init.d/krb5kdc /etc/rc.d/init.d/kadmin @@ -998,6 +1016,15 @@ exit 0 %{_sbindir}/uuserver %changelog +* Fri Feb 7 2014 Nalin Dahyabhai - 1.12.1-4 +- pull in patch from master to move the default directory which the KDC uses + when computing the socket path for a local OTP daemon from the database + directory (/var/kerberos/krb5kdc) to the newly-added run directory + (/run/krb5kdc), in line with what we're expecting in 1.13 (RT#7859) +- add a tmpfiles.d configuration file to have /run/krb5kdc created at + boot-time +- own /var/run/krb5kdc + * Fri Jan 31 2014 Nalin Dahyabhai - 1.12.1-3 - refresh nss_wrapper and add socket_wrapper to the %%check environment -- cgit