Ben is correct. Installing krb5-{admin-server,kdc} in jessie will install
the database in /var/lib by default when no krb5-user package exists.
However, I was able to reproduce the problem of a database being installed
under /etc/krb5kdc three times in a row when the krb5-user package was
installed and configured before krb5-{admin-server,kdc}.
Procedure:
I cloned our production lxc linux container running kerberos/jessie/systemd
into a test container; entitled "red." Here are the steps to install a
database under /etc/krb5kdc:
1. apt-get purge krb5-{config,user,kdc,admin-server} ; apt-get
autoremove ; apt-get clean
2. rm -fr /var/lib/k* /etc/krb5kdc
3. apt-get install krb5-user
4. cp krb5.conf krb5.keytab /etc # good working
production files
5. klist #
verify no key exists
6. kinit erik #
obtain a ticket
7. klist #
verify a ticket exists
8. apt-get install krb5-{admin-server,kdc} # Hit return at Ok
prompt to read README.kdc
9. krb5_newrealm # Immediately
run this command. Enter password foo. There might be a race condition.
Attached to this email is krb5_newrealm.out that is the output from the
krb5_newrealm command using the linux script command. It shows the database
being configured under /etc/krb5kdc. I also ls -l (lc alias) the
/etc/krb5kdc directory to show the database files.
I am not sure if the kinit <principal> step is really necessary. It seems
like the problem lies with krb5-user being installed and configured before
krb5-{admin-server,kdc}. If krb5-user is not installed, apt-get will
install krb5-user as a dependency and the installation order seems to
prevent a database being installed under /etc/krb5kdc. All I can say is
that the above steps are repeatable. I don't think I can reproduce the
problem with "apt-get install krb5-{kdc,admin-server}."
There is no significant difference between the krb5-user package
/etc/krb5.conf and our production /etc/krb5.conf other than adding our
default_realm, kdc = , admin_server = and domain_realm .? entries. Its
very plain.
On Tue, Feb 10, 2015 at 2:02 PM, Benjamin Kaduk <ka...@mit.edu> wrote:
> On Tue, 10 Feb 2015, Sam Hartman wrote:
>
> > Ben, any thoughts here?
>
> I did some testing, and the krb5_newrealm in jessie produces my database
> in /var/lib by default.
>
> However, as Sam noted, if there is existing configuration in krb5.conf or
> kdc.conf, that can causes different paths to be used.
>
> Additionally, in my initial test, I had a local build of krb5 intalled in
> /usr/local at the front of my path, which had different default paths than
> the debian build. (That is, my /usr/local/sbin/kdb5_util did default to
> putting the database in /etc/krb5kdc/.)
>
> Perhaps Erik could run kdb5_util manually from an absolute path, and
> confirm the default_realm in krb5.conf? Using something other than
> EXAMPLE.COM for redaction would probably help disambiguate.
>
> -Ben
>
krb5_newrealm.out
Description: Binary data
