I'll take a look in the next couple of days.
Mark Phalan wrote: > Need a code review for the following: > > 6658621 Configuration checks for kerberos daemons should be done by the > daemons themselves > 6658631 error messages in kerberos deamons need cleanup > 6664832 various memleaks in krb libs > 6658627 kpropd should use its executable name and not the full path when > logging error messages > 6658624 Missing error strings for new kerberos DB error types > > The following related CRs will be closed once the above is putback: > > 6522924 Failure to start svc:/network/security/krb5kdc should be more > verbose > 6646459 'db_exists' and 'kadm5_acl_configed' tests broken in > svc-kdc/svc-kdc.master > 6623803 db_exists() in usr/src/cmd/svc/shell/krb_include.sh needs to be > updated to deal with LDAP > > webrev can be found here: > http://cr.opensolaris.org/~mbp/daemon_error_messages/ > > The code changes mostly deal with enhancing the error message > reporting in the daemons/related libs. > A better effort is made to log to stderr (as well as the > configured logging destination) before the daemons daemonize. > Before daemonizing the daemons print to stderr where all > further logging will take place - this makes it easier to > follow when using SMF as there is a full trail from "svcs -x" > to the log file. > > The SMF helper scripts have been removed. SMF now runs the daemons > directly. > > A list of the old and new behaviours follows: > > /lib/svc/method/svc-kdc krb5kdc/SMF > --- --- > > Exits if _default_realm_ is in Runs even if _default_realm_ is in > kdc.conf kdc.conf Uses defaults for > configuration > > Exits if /var/krb5/principal db2 backend will fail if it can't > isn't present* access the prinipal db. > LDAP backend will fail if it can't > access the LDAP server. > > Exits if krb5kdc isn't executable SMF will fail if krb5kdc isn't > krb5kdc executable > > > > /lib/svc/method/svc-kdc.master kadmind/SMF > --- --- > Exits if _default_realm_ is in Runs even if _default_realm_ is in > kdc.conf kdc.conf. Uses defaults for > configuration. > > Exits if kadm5.acl contains Warns if acl file contains an entry > _default_realm_* for _default_realm_ but doesn't > exit. > > Exits if /var/krb5/principal db2 kdb backend will fail if it > isn't present* can't access the prinipal db. > LDAP kdb backend will fail if it > can't access the LDAP server. > > Exits if kadmind isn't executable SMF will fail if kadmind isn't > executable > > > /lib/svc/method/svc-kdc.slave kpropd/SMF > --- --- > Exits if _default_realm_ is in Runs even if _default_realm_ is in > kdc.conf kdc.conf Uses defaults for > configuration. > > Exits if kadm5.acl doesn't contain Warns if acl file contains an entry > _default_realm_* for _default_realm_ but doesn't > exit > > Exits if kpropd isn't executable SMF will fail if kpropd isn't > executable > > * These checks are currently broken in Nevada (see 6646459) > > > Some examples of changed output: > > ========================= > ** > LDAP plugin, inaccessible/misconfigured LDAP server > > New: > > soe-280r-4# /usr/lib/krb5/krb5kdc -n > krb5kdc: Failed to bind to ldap server > "ldaps://ds-server.central.sun.com": Can't connect to the LDAP server > while initializing database for realm ACME.COM > krb5kdc: Unable to access Kerberos database while initializing realm > ACME.COM > > Old: > > sol-x2100-24# /usr/lib/krb5/krb5kdc -n > krb5kdc: cannot initialize realm ACME.COM > > ========================= > > ** > # echo "pop" > /var/krb5/principal > > New: > > soe-280r-4# /usr/lib/krb5/krb5kdc -n > hash: could not retrieve header > krb5kdc: Failed to set db2 name to "/var/krb5/principal": Invalid > argument while initializing database for realm ACME.COM > krb5kdc: Invalid argument while initializing realm ACME.COM > > > Old: > > sol-x2100-24# /usr/lib/krb5/krb5kdc -n > krb5kdc: cannot initialize realm ACME.COM > sol-x2100-24# > > ========================= > > > ** > libdb.so.1 is missing or moved > (new error string for KRB5_KDB_DBTYPE_NOTFOUND) > > New: > > soe-280r-4# /usr/lib/krb5/krb5kdc -n > krb5kdc: Unable to load requested database module 'db2': plugin symbol > 'kdb_function_table' not found while initializing database for realm > ACME.COM > krb5kdc: Unable to find requested database type while initializing realm > ACME.COM > > > Old: > sol-x2100-24# /usr/lib/krb5/krb5kdc -n > krb5kdc: cannot initialize realm ACME.COM > > ========================= > > > ** > No keytab file on slave > > New: > > soe-280r-4# svcs -x krb5_prop > svc:/network/security/krb5_prop:default (Kerberos propagation daemon for > slave KDCs) > State: maintenance since Tue Feb 26 07:09:21 2008 > Reason: Start method failed repeatedly, last exited with status 1. > See: http://sun.com/msg/SMF-8000-KS > See: kpropd(1M) > See: /var/svc/log/network-security-krb5_prop:default.log > Impact: This service is not running. > soe-280r-4# tail /var/svc/log/network-security-krb5_prop:default.log > ... > [ Feb 26 07:09:21 Enabled. ] > [ Feb 26 07:09:21 Executing start method ("/usr/lib/krb5/kpropd -S"). ] > kpropd: No such file or directory while retrieving entry > kiprop/soe-280r-4.sfbay.sun.com at ACME.COM from FILE:/etc/krb5/krb5.keytab > [ Feb 26 07:09:21 Method "start" exited with status 1. ] > > > Old: > > sol-x2100-24# svcs -x krb5_prop > svc:/network/security/krb5_prop:default (Kerberos propagation daemon for > slave KDCs) > State: maintenance since Tue Feb 26 07:13:14 2008 > Reason: Restarting too quickly. > See: http://sun.com/msg/SMF-8000-L5 > See: kpropd(1M) > See: /var/svc/log/network-security-krb5_prop:default.log > Impact: This service is not running. > sol-x2100-24# tail /var/svc/log/network-security-krb5_prop:default.log > ... > [ Feb 26 07:13:14 Method "start" exited with status 0. ] > [ Feb 26 07:13:14 Stopping because all processes in service exited. ] > [ Feb 26 07:13:14 Executing stop method (:kill). ] > [ Feb 26 07:13:14 Restarting too quickly, changing state to > maintenance. ] > > <from syslog> > Feb 26 07:13:14 sol-x2100-24 kpropd[14982]: [ID 356978 > daemon.error] /usr/lib/krb5/kpropd: Key table entry not found while > initializing /usr/lib/krb5/kpropd interface > > ========================= > > > ** > Comment out "admin_server" line in krb5.conf > > New: > > soe-280r-4# svcs -x kadmin > svc:/network/security/kadmin:default (Kerberos administration daemon) > State: maintenance since Tue Feb 26 05:14:40 2008 > Reason: Start method failed repeatedly, last exited with status 1. > See: http://sun.com/msg/SMF-8000-KS > See: kadmind(1M) > See: /var/svc/log/network-security-kadmin:default.log > Impact: This service is not running. > soe-280r-4# tail /var/svc/log/network-security-kadmin:default.log > [ Feb 26 05:09:24 Method "start" exited with status 1. ] > [ Feb 26 05:09:24 Executing start method ("/usr/lib/krb5/kadmind"). ] > kadmind: Syntax error in profile relation while initializing, aborting > [ Feb 26 05:09:25 Method "start" exited with status 1. ] > [ Feb 26 05:14:37 Leaving maintenance because disable requested. ] > [ Feb 26 05:14:37 Disabled. ] > [ Feb 26 05:14:40 Enabled. ] > [ Feb 26 05:14:40 Executing start method ("/usr/lib/krb5/kadmind"). ] > kadmind: Failed to determine whether host is master KDC for realm > ACME.COM: No administration server found for realm > [ Feb 26 05:14:40 Method "start" exited with status 1. ] > soe-280r-4# > > > Old: > > sol-x2100-24# svcs -x kadmin > svc:/network/security/kadmin:default (Kerberos administration daemon) > State: maintenance since Tue Feb 26 05:17:17 2008 > Reason: Restarting too quickly. > See: http://sun.com/msg/SMF-8000-L5 > See: kadmind(1M) > See: /var/svc/log/network-security-kadmin:default.log > Impact: This service is not running. > sol-x2100-24# tail /var/svc/log/network-security-kadmin:default.log > kadmind: Cannot initialize GSS-API authentication. > [ Feb 26 05:17:17 Method "start" exited with status 0. ] > [ Feb 26 05:17:17 Stopping because all processes in service exited. ] > [ Feb 26 05:17:17 Executing stop method (:kill). ] > [ Feb 26 05:17:17 Executing start method > ("/lib/svc/method/svc-kdc.master"). ] > kadmind: Cannot initialize GSS-API authentication. > [ Feb 26 05:17:17 Method "start" exited with status 0. ] > [ Feb 26 05:17:17 Stopping because all processes in service exited. ] > [ Feb 26 05:17:17 Executing stop method (:kill). ] > [ Feb 26 05:17:17 Restarting too quickly, changing state to > maintenance. ] > sol-x2100-24# > > Feb 26 05:17:16 sol-x2100-24 kadmind[14373](Error): Cannot initialize > GSS-API authentication, failing. > Feb 26 05:17:16 sol-x2100-24 kadmind[14376](Error): Cannot initialize > GSS-API authentication, failing. > Feb 26 05:17:16 sol-x2100-24 kadmind[14379](Error): Cannot initialize > GSS-API authentication, failing. > Feb 26 05:17:16 sol-x2100-24 kadmind[14382](Error): Cannot initialize > GSS-API authentication, failing. > Feb 26 05:17:16 sol-x2100-24 kadmind[14385](Error): Cannot initialize > GSS-API authentication, failing. > Feb 26 05:17:16 sol-x2100-24 kadmind[14388](Error): Cannot initialize > GSS-API authentication, failing. > Feb 26 05:17:16 sol-x2100-24 kadmind[14391](Error): Cannot initialize > GSS-API authentication, failing. > Feb 26 05:17:17 sol-x2100-24 kadmind[14394](Error): Cannot initialize > GSS-API authentication, failing. > Feb 26 05:17:17 sol-x2100-24 kadmind[14397](Error): Cannot initialize > GSS-API authentication, failing. > > > ========================= > > > _______________________________________________ > kerberos-discuss mailing list > kerberos-discuss at opensolaris.org > http://mail.opensolaris.org/mailman/listinfo/kerberos-discuss >
