[Bug 652433] Re: Init script dependency error: krb5-kdc starts before slapd
Clint Byrum
clint at fewbar.com
Fri Feb 4 16:44:33 UTC 2011
Ok, so now I'm confused. This should have been fixed in Debian, as Sam
Hartman shows us, here:
krb5 (1.8.1+dfsg-3) unstable; urgency=high
* CVE-2010-1321 GSS-API accept sec context null pointer deref, Closes:
#582261
* Force use of bash for build, Closes: #581473
* Start slapd before krb5 when krb5-kdc-ldap installed, Closes:
#582122
-- Sam Hartman <hartmans at debian.org> Wed, 19 May 2010 16:37:36 -0400
Testing this on natty by installing krb5-kdc-ldap, and then slapd:
# ls -l /etc/rc2.d
total 4
-rw-r--r-- 1 root root 677 Nov 1 09:36 README
lrwxrwxrwx 1 root root 18 Feb 4 07:55 S18krb5-kdc -> ../init.d/krb5-kdc
lrwxrwxrwx 1 root root 15 Feb 4 07:56 S19slapd -> ../init.d/slapd
lrwxrwxrwx 1 root root 18 Nov 2 09:51 S99ondemand -> ../init.d/ondemand
lrwxrwxrwx 1 root root 18 Nov 2 09:51 S99rc.local -> ../init.d/rc.local
The problem is that the override isn't being respected, because it
relies on insserv being called. insserv isn't called, because on Ubuntu
systems, legacy-bootordering is the norm, so this override will not help
unfortunately. If I manually run 'insserv' as root, this does reorder
things:
# ls -l /etc/rc2.d
total 4
-rw-r--r-- 1 root root 677 Nov 1 09:36 README
lrwxrwxrwx 1 root root 15 Feb 4 08:04 S01slapd -> ../init.d/slapd
lrwxrwxrwx 1 root root 18 Feb 4 08:04 S02krb5-kdc -> ../init.d/krb5-kdc
lrwxrwxrwx 1 root root 18 Feb 4 08:04 S03ondemand -> ../init.d/ondemand
lrwxrwxrwx 1 root root 18 Feb 4 08:04 S03rc.local -> ../init.d/rc.local
So, this is really caused by Ubuntu's sysv-rc disabling insserv. Since
Ubuntu has chosen a different boot, this is just going to be something
we have to maintain delta for I think.
In this case I think the right fix for Ubuntu is going to be to add this to krb5-kdc-slapd's postinst:
update-rc.d slapd remove
update-rc.d slapd start 17 2 3 4 5 . stop 19 0 1 6 .
Either way, I have to agree that I was wrong, and this does have a
solution and so can be set to Confirmed. I'll also raise the importance
to Low, because the default config does not work in what would probably
be a very common use case (kdc on the same box as ldap).
The workaround, btw, is to run the two update-rc.d commands above, or
'insserv'.
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2010-1321
** Changed in: krb5 (Ubuntu)
Status: Opinion => Confirmed
** Changed in: krb5 (Ubuntu)
Importance: Wishlist => Low
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to krb5 in ubuntu.
https://bugs.launchpad.net/bugs/652433
Title:
Init script dependency error: krb5-kdc starts before slapd
More information about the Ubuntu-server-bugs
mailing list