Control: reassing -1 debian-edu-config Control: tags -1 - wontfix Control: found -1 2.10.65 Control: tags -1 patch
Hi Sam, On Mi 03 Jul 2019 15:07:22 CEST, Sam Hartman wrote:
control: tags -1 wontfix So, the krb5 packages as installed log to syslogd/journald and do not log to kdc.log.
Ah, ok. The logging is supposed to end up in syslogd/journald...
debian edu is doing something to change that, which is probably a debian edu bug. Also, it seems likely that if debian edu is messing with the config files of krb5, it's a serious bug under policy because debian edu is messing with the configuration of a package not its own.
... and, yes, Debian Edu messes programmatically with other packages' files (see #311188).
If you are going to change the logging, then you can also add a systemd fragment that gives the kdc permission to write to that log.
The patch required for Debian Edu's krb5.conf is this: ``` --- /etc/krb5.conf.orig 2019-07-03 16:03:44.199642437 +0200 +++ /etc/krb5.conf 2019-07-03 16:03:40.023642539 +0200 @@ -19,11 +19,6 @@ .intern = INTERN intern = INTERN -[logging] - kdc = FILE:/var/log/kdc.log - kadmin = FILE:/var/log/kadmin.log - default = FILE:/var/log/krb5.log - [dbdefaults] ldap_kerberos_container_dn = cn=kerberos,dc=skole,dc=skolelinux,dc=no ```
But another package in Debian should not make this change and override krb5's decisions about where its logs go.
In theory, well spoken.However, as the Debian Edu deployment process needs to tweak the default settings of many Debian packages tremendously, issue #311188 affects many many Debian packages.
The situation has improved greatly over the past years, but we have not reached a point where we can close #311188, yet.
Where we can, we use /etc/<pkg>.conf.d/ directories and drop config snippets in there. Or we could convince package maintainers to make their packages configurable via debconf preseeding.
For /etc/krb5.conf, we currently replace the file and drop in a replacement that works on the Debian Edu network. On the other hand, I guess we have never asked for help for your side (with the krb5 maintainer's hat on).
This bug has now been reassigned to debian-edu-config, let's see if that will end up in the next 10.1 point release or only in Debian (Edu) 11.
Greets, Mike -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 486 14 27 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de
pgpo8UlIHvcoA.pgp
Description: Digitale PGP-Signatur