Bug#807135: marked as done (krb5-kdc: systemd overrides configured log settings)

Debian Bug Tracking System Sat, 05 Dec 2015 13:54:35 -0800

Your message dated Sat, 5 Dec 2015 16:50:20 -0500 (EST)
with message-id <[email protected]>
and subject line Re: Bug#807135: krb5-kdc: systemd overrides configured log 
settings
has caused the Debian Bug report #807135,
regarding krb5-kdc: systemd overrides configured log settings
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
807135: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=807135
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Package: krb5-kdc
Version: 1.12.1+dfsg-19+deb8u1
Severity: normal

Hi again!

I configured Kerberos to log to some specific locations:

(from /etc/krb5.conf:)
...
[logging]
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmin.log
    default = FILE:/var/log/krb5.log

However, these logs are empty. I discovered that everything fromkrb5-kdc and kadmin is getting dumped into auth.log, which is not what Iwant.

I took a look at another jessie system that is using the same version ofkrb5-kdc but is not using systemd, and found that all the logs get filedinto the correct places with the same config parameters.

Hence, I think that systemd/journalctl is overriding thesoftware-defined settings. I'm not super experienced with systemd; I'mrunning it with all the Debian default settings.


Do you know if it's possible to fix this?

- e


-- System Information:
Debian Release: 8.2
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages krb5-kdc depends on:
ii  debconf [debconf-2.0]  1.5.56
ii  init-system-helpers    1.22
ii  krb5-config            2.3
ii  krb5-user              1.12.1+dfsg-19+deb8u1
ii  libc6                  2.19-18+deb8u1
ii  libcomerr2             1.42.12-1.1
ii  libgssapi-krb5-2       1.12.1+dfsg-19+deb8u1
ii  libgssrpc4             1.12.1+dfsg-19+deb8u1
ii  libk5crypto3           1.12.1+dfsg-19+deb8u1
ii  libkadm5clnt-mit9      1.12.1+dfsg-19+deb8u1
ii  libkadm5srv-mit9       1.12.1+dfsg-19+deb8u1
ii  libkdb5-7              1.12.1+dfsg-19+deb8u1
ii  libkeyutils1           1.5.9-5+b1
ii  libkrb5-3              1.12.1+dfsg-19+deb8u1
ii  libkrb5support0        1.12.1+dfsg-19+deb8u1
ii  libverto-libev1        0.2.4-2
ii  libverto1              0.2.4-2
ii  lsb-base               4.1+Debian13+nmu1

krb5-kdc recommends no packages.

Versions of packages krb5-kdc suggests:
ii  krb5-admin-server          1.12.1+dfsg-19+deb8u1
pn  krb5-kdc-ldap              <none>
ii  xinetd [inet-superserver]  1:2.3.15-3

-- debconf information:
  krb5-kdc/debconf: true
  krb5-kdc/purge_data_too: false

--- End Message ---

--- Begin Message ---

On Sat, 5 Dec 2015, Elana Hashman wrote:

> Package: krb5-kdc
> Version: 1.12.1+dfsg-19+deb8u1
> Severity: normal
>
> Hi again!
>
> I configured Kerberos to log to some specific locations:
>
> (from /etc/krb5.conf:)
> ...
> [logging]
>     kdc = FILE:/var/log/krb5kdc.log
>     admin_server = FILE:/var/log/kadmin.log
>     default = FILE:/var/log/krb5.log
>
> However, these logs are empty. I discovered that everything from krb5-kdc and
> kadmin is getting dumped into auth.log, which is not what I want.
>
> I took a look at another jessie system that is using the same version of
> krb5-kdc but is not using systemd, and found that all the logs get filed into
> the correct places with the same config parameters.
>
> Hence, I think that systemd/journalctl is overriding the software-defined
> settings. I'm not super experienced with systemd; I'm running it with all the
> Debian default settings.
>
> Do you know if it's possible to fix this?

This appears to be due to the use of systemd's ability to limit a spawned
process to only be able to write to a subset of the directory tree (it
should get EROFS if it tries).  The settings are specified in the shipped
krb5-kdc unit file
(http://anonscm.debian.org/cgit/pkg-k5-afs/debian-krb5-2013.git/tree/debian/krb5-kdc.service?h=jessie)
but it should be possible to add additional ReadWriteDirectories in a
supplementary snippet, such as in
/lib/systemd/system/krb5-kdc.service.d/*.conf

I would not expect the systemd configuration to cause log entries that
would normally be written to the kdc log to end up in the system-wide
auth.log, though; could you provide a snippet of the auth.log entries you
are seeing?

For now, I'll close the bug since it seems to be working as intended.

-Ben

--- End Message ---

Bug#807135: marked as done (krb5-kdc: systemd overrides configured log settings)

Reply via email to