[Bug 652433] Re: Init script dependency error: krb5-kdc starts before slapd

Clint Byrum clint at fewbar.com
Fri Feb 4 16:44:33 UTC 2011 

Ok, so now I'm confused. This should have been fixed in Debian, as Sam
Hartman shows us, here:

krb5 (1.8.1+dfsg-3) unstable; urgency=high

  * CVE-2010-1321 GSS-API accept sec context null pointer deref, Closes:
    #582261
  * Force use of bash for build, Closes: #581473
  * Start slapd before krb5 when krb5-kdc-ldap installed, Closes:
    #582122


 -- Sam Hartman <hartmans at debian.org>  Wed, 19 May 2010 16:37:36 -0400

Testing this on natty by installing krb5-kdc-ldap, and then slapd:

# ls -l /etc/rc2.d
total 4
-rw-r--r-- 1 root root 677 Nov  1 09:36 README
lrwxrwxrwx 1 root root  18 Feb  4 07:55 S18krb5-kdc -> ../init.d/krb5-kdc
lrwxrwxrwx 1 root root  15 Feb  4 07:56 S19slapd -> ../init.d/slapd
lrwxrwxrwx 1 root root  18 Nov  2 09:51 S99ondemand -> ../init.d/ondemand
lrwxrwxrwx 1 root root  18 Nov  2 09:51 S99rc.local -> ../init.d/rc.local

The problem is that the override isn't being respected, because it
relies on insserv being called. insserv isn't called, because on Ubuntu
systems, legacy-bootordering is the norm, so this override will not help
unfortunately. If I manually run 'insserv' as root, this does reorder
things:

# ls -l /etc/rc2.d
total 4
-rw-r--r-- 1 root root 677 Nov  1 09:36 README
lrwxrwxrwx 1 root root  15 Feb  4 08:04 S01slapd -> ../init.d/slapd
lrwxrwxrwx 1 root root  18 Feb  4 08:04 S02krb5-kdc -> ../init.d/krb5-kdc
lrwxrwxrwx 1 root root  18 Feb  4 08:04 S03ondemand -> ../init.d/ondemand
lrwxrwxrwx 1 root root  18 Feb  4 08:04 S03rc.local -> ../init.d/rc.local

So, this is really caused by Ubuntu's sysv-rc disabling insserv. Since
Ubuntu has chosen a different boot, this is just going to be something
we have to maintain delta for I think.

In this case I think the right fix for Ubuntu is going to be to add this to krb5-kdc-slapd's postinst:
update-rc.d slapd remove
update-rc.d slapd start 17 2 3 4 5 . stop 19 0 1 6 .

Either way, I have to agree that I was wrong, and this does have a
solution and so can be set to Confirmed. I'll also raise the importance
to Low, because the default config does not work in what would probably
be a very common use case (kdc on the same box as ldap).

The workaround, btw, is to run the two update-rc.d commands above, or
'insserv'.

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2010-1321

** Changed in: krb5 (Ubuntu)
       Status: Opinion => Confirmed

** Changed in: krb5 (Ubuntu)
   Importance: Wishlist => Low

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to krb5 in ubuntu.
https://bugs.launchpad.net/bugs/652433

Title:
  Init script dependency error: krb5-kdc starts before slapd

More information about the Ubuntu-server-bugs mailing list