|
Bugzilla – Full Text Bug Listing |
| Summary: | Yast-kerberos-client works wring with DNS kerberos config | ||
|---|---|---|---|
| Product: | [openSUSE] openSUSE 11.4 | Reporter: | Pavel Baranchikov <pavel> |
| Component: | YaST2 | Assignee: | Jiří Suchomel <jsuchome> |
| Status: | RESOLVED FIXED | QA Contact: | Jiri Srain <jsrain> |
| Severity: | Normal | ||
| Priority: | P5 - None | CC: | mvidner |
| Version: | Final | ||
| Target Milestone: | --- | ||
| Hardware: | Other | ||
| OS: | openSUSE 11.4 | ||
| Whiteboard: | |||
| Found By: | --- | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
| Attachments: |
patch for /usr/share/YaST2/modules/Kerberos.ycp
y2log after executing yast2 kerberos-client |
||
|
Description
Pavel Baranchikov
2011-08-16 14:33:15 UTC
What do these commands show: dig TXT _kerberos.%1 +short dig SRV _kerberos._udp.%1 +short (where %1 is your default domain)? pavel@pbaranchikov:~> dig TXT _kerberos.domain.com +short "DOMAIN.COM" pavel@pbaranchikov:~> dig SRV _kerberos._udp.domain.com +short 0 20 88 notitiae.domain.com. 0 10 88 aranei.domain.com. Created attachment 448190 [details]
patch for /usr/share/YaST2/modules/Kerberos.ycp
I see, I did not expect more lines in the output.
Please try to patch your /usr/share/YaST2/modules/Kerberos.ycp with this patch ('patch /usr/share/YaST2/modules/Kerberos.ycp < patch_from_here'), than call 'ycpc -c /usr/share/YaST2/modules/Kerberos.ycp' and try again.
For now, my "use DNS to configure Kerberos" checkbox is disabled for both original Kerberos.ycp and patched. Maybe, it is due to existing config file? Is there a way to reset config file to YAST-compatible format. On other computer, patch did the job and wrote the correct /etc/krb5.conf file. (In reply to comment #4) > For now, my "use DNS to configure Kerberos" checkbox is disabled for both > original Kerberos.ycp and patched. Maybe, it is due to existing config file? Is > there a way to reset config file to YAST-compatible format. Yes, if kdc and/or realm is found in krb config file, DNS is not offered as an option. Try to backup your krb5.conf, than delete from it data specific to your realm and try again. I have deleted all the contents of the /etc/krb5.conf, so it became empty file. "Use DNS" is not active. I have cleaned krb5.conf from my domain info:
pbaranchikov:/etc # cat /etc/krb5.conf
[libdefaults]
clockskew = 300
[realms]
# EXAMPLE.COM = {
# kdc = kerberos.example.com
# admin_server = kerberos.example.com
# }
[logging]
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log
default = SYSLOG:NOTICE:DAEMON
[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = false
minimum_uid = 1
clockskew = 300
external = sshd
use_shmem = sshd
}
pbaranchikov:/etc #
"Use DNS" checkbox left unavailable.
Would you please add a button to rewrite the system krb5.conf file contents?
This is strange. Could you please attach y2log files, after you run yast2 kerberos-client with the above krb5.conf? It would be better with verbose logging, start: 'Y2DEBUG=ALL yast2 kerberos-client' Created attachment 448641 [details]
y2log after executing yast2 kerberos-client
Looks like 'dig TXT _kerberos.aleatis +short' did not return anything, so YaST evaluated it as DNS info is not available. Is the dig output different on other machine? No, other machine does the same. Full kerberos (and DNS) domain name is ryazan.aleatis.lan You wrote in comment 4 that for the other machine, DNS is detected correctly, right? So what does 'dig TXT _kerberos.aleatis +short' return on both of your machines? And, (In reply to comment #10) > Full kerberos (and DNS) domain name is ryazan.aleatis.lan but hostname --fqdn reports 'pbaranchikov.aleatis' I do not understand all the mechanisms of the determining the fqdn, but with the config, mentioned in comment #6, the real kerberos realm is discovered correctly, with the domain name, gathered from the DHCP. Maybe, they use /etc/resolv.conf instead of hostname --fqdn? hostname --fqdn reports 'pbaranchikov.aleatis' but you say that DNS domain name is ryazan.aleatis.lan Because of this setup, Kerberos cannot properly find KDC. Martin, any idea what's the problem with network setup? Possibly a wrong entry in /etc/hosts. WebYaST did that wrong (bnc#694283#c8) Well, to me it seems that your network config is somehow broken. If YaST caused it, please file a new bug report against network configuration. This one, regarding detecting Kerberos DNS config, is IMHO fixed by patch from comment 3, assuming correct network config. This is an autogenerated message for OBS integration: This bug (712448) was mentioned in https://build.opensuse.org/request/show/80687 Factory / yast2-kerberos-client |