[kerberos-discuss] The need for a default kdc.conf

Thu, 09 Oct 2008 16:12:32 +0200 

On Wed, 2008-10-08 at 18:11 +0200, Mark Phalan wrote:
> When testing the PKINIT stuff I hit a stupid issue - due to a typo in
> the realm name in kdc.conf users were not getting the +requires_preauth
> attribute when being created. I quickly figured out what was happening
> but it got me thinking about kdc.conf in general.
> 
> Currently the default kdc.conf contains the following:
> 
> [kdcdefaults]
>     kdc_ports = 88,750
> 
> [realms]
>     ___default_realm___  = {
>         profile = /etc/krb5/krb5.conf
>         database_name = /var/krb5/principal
>         admin_keytab = /etc/krb5/kadm5.keytab
>         acl_file = /etc/krb5/kadm5.acl
>         kadmind_port = 749
>         max_life = 8h 0m 0s
>         max_renewable_life = 7d 0h 0m 0s
>         default_principal_flags = +preauth
>       }
> 
> The admin is expected to replace "___default_realm___" with the correct
> realm or add additional realm stanzas for the configured realms.
> 
> The first thing to note is that the code defaults for "kdc_ports",
> "profile", "database_name", "admin_keytab", "acl_file" and
> "kadmind_port" are the same as the values specified here.
> 
> i.e. the above config file snippet is equivalent to:
> 
> [kdcdefaults]
> 
> [realms]
>     ___default_realm___  = {
>         max_life = 8h 0m 0s
>         max_renewable_life = 7d 0h 0m 0s
>         default_principal_flags = +preauth
>       }
> 
> We could easily ship a simplified kdc.conf containing the above.
> 
> The question then arises why are the settings for "max_life",
> "max_renewable_life" and "default_principal_flags" different to the code
> defaults?
> 
> It seems to me to be particularily strange that "+preauth" isn't the
> code default. A kerberos admin may not even notice that new users aren't
> getting "+preauth" due to a misconfiguration.
> 
> Is there any reason not to change the code defaults to the above?
> i.e.
>                               current   proposed
> max_life                      24h        8h
> max_renewable_life            1year      1month
> default_principal_flags                  +preauth
> 
> 
> If we do these changes we can scrap kdc.conf in its entirety. We can
> then encourage admins to stick to a single config-file - krb5.conf.
> Perhaps we can add a commented-out realm stanza in krb5.conf so that
> it's clear to admins that they can do realm configuration there.
> 
> Thoughts?
> 


I opened 6757779 to track this.
http://bugs.opensolaris.org/view_bug.do?bug_id=6757779 (not available as
of the time of this posting).

-M

Reply via email to