Bastian Blank <[email protected]> writes: > krb5-config uses debconf as a registry. It uses informations from > debconf as authoritative over the real krb5.conf and even asks > informations again on upgrade, like the kdc for the own realm.
I concur that the upgrade behavior after one has manually modified krb5.conf to enable DNS realm resolution and/or set a different local realm is not correct according to Policy, now that I look at it in detail. Thanks for the report; I'd not thought through that. I've been meaning to look at using ucf to try to do something more intelligent, but I haven't had the time. I certainly won't have time for lenny, so something simpler seems to be in order. Just to double-check my understanding of this, would the following be correct behavior? * Prompt as it currently does if /etc/krb5.conf does not exist, regardless of whether this is an upgrade or not. * Do not prompt and leave /etc/krb5.conf as-is on any package upgrade. I'm not sure what the correct behavior for dpkg-reconfigure would be, but I'm guessing that probably doing nothing unless the user has deleted their krb5.conf is the simplest. It does, however, mean that a user who *only* uses debconf to manage their configuration can't change their default realm with dpkg-reconfigure, which is less than ideal. However, I don't know how to distinguish between the dpkg-reconfigure case and the reinstall case, where I presume the user's local changes should always be maintained. > Also some parts are done in postinst instead of the config script. This is currently done because the postinst script wants to look at the current krb5.conf file or the skeleton included in the package before prompting. This may be fixable by telling the config script which realms for which we already have server information so that it can skip the prompts for KDCs for those realms, although I need to figure out why it is that the existing script clears krb5-config/kerberos_servers and krb5-config/admin_server after using them. It's a bit more intrusive than I'd prefer for lenny, so I'd rather postpone this fix until after the lenny release. -- Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
