-
Notifications
You must be signed in to change notification settings - Fork 180
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add custom krb5.conf which move all config under /etc/rhn/krb5.conf.d (…
- Loading branch information
Showing
4 changed files
with
48 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
#!/bin/sh | ||
|
||
set -e | ||
|
||
KRB5CONFD="krb5.conf.d" | ||
|
||
rmdir "/etc/$KRB5CONFD" | ||
mkdir "/etc/rhn/$KRB5CONFD" | ||
ln -s "/etc/rhn/$KRB5CONFD" "/etc/$KRB5CONFD" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
includedir /etc/rhn/krb5.conf.d | ||
|
||
[libdefaults] | ||
# "dns_canonicalize_hostname" and "rdns" are better set to false for improved security. | ||
# If set to true, the canonicalization mechanism performed by Kerberos client may | ||
# allow service impersonification, the consequence is similar to conducting TLS certificate | ||
# verification without checking host name. | ||
# If left unspecified, the two parameters will have default value true, which is less secure. | ||
dns_canonicalize_hostname = false | ||
rdns = false | ||
# "verify_ap_req_nofail" is enabled to protect against KDC spoofing. After obtaining the | ||
# initial credentials the client library will attempt to verify if the KDC that issued them | ||
# is the same that issued the keys stored in the local keytab. If the client machine does | ||
# not have a keytab, it cannot be read or there is no host key in it, the verification will | ||
# fail if "verify_ap_req_nofail" is set to true. If it is set to false and the client machine | ||
# does not have a keytab, the verification is skipped. | ||
verify_ap_req_nofail = true | ||
# default_realm = EXAMPLE.COM | ||
default_ccache_name = KEYRING:persistent:%{uid} | ||
# move default keytab to the persistent /etc/rhn/krb5.conf.d directory | ||
default_keytab_name = FILE:/etc/rhn/krb5.conf.d/krb5.keytab | ||
|
||
[realms] | ||
# EXAMPLE.COM = { | ||
# kdc = kerberos.example.com | ||
# admin_server = kerberos.example.com | ||
# } | ||
|
||
[logging] | ||
kdc = FILE:/var/log/krb5/krb5kdc.log | ||
admin_server = FILE:/var/log/krb5/kadmind.log | ||
default = SYSLOG:NOTICE:DAEMON |
2 changes: 2 additions & 0 deletions
2
containers/server-image/server-image.changes.oholecek.krb5-persistent-fix
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
- use /etc/krb5.conf.d for all kerberos related configurations | ||
(bsc#1229077) |