From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <ivan.a.melnikov@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on
 sa.local.altlinux.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.7 required=5.0 tests=BAYES_00,DKIM_SIGNED,
 DKIM_VALID,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,
 HEADER_FROM_DIFFERENT_DOMAINS autolearn=no autolearn_force=no version=3.4.1
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=sender:date:from:to:subject:message-id:references:mime-version
 :content-disposition:content-transfer-encoding:in-reply-to;
 bh=C+ssE1bpgjpp4mdLa1W0oel1DnDblCKcR+44pAo1uMA=;
 b=ZZ3QjAau6b0i05tvp94azKMM5NYP3HYDS/3Lnqy0mSbdT2D9BdoTA+xFxHrLXxR7nX
 PPcARiX2JoPBZnRHK7tx5eEoCkALkmZvUoowlYZPgCDVExOa91PzBiI23aP9yXWpBVb8
 504kSF1Uw233ejHXwMVm1Gnet4PaeV7TI0FoMHhFd5lL49x+SKYJxOa6gLpYhWaxG2TB
 DqugWEA4mrENrNVYqbWVj42NYTuil7IX0KTW294uhR2nodvWHO0bV9b2cjGzx1qBdqDp
 IECJ+nlUfAbIx0KAG2hkyzKjCf+A5FyuM/4wK008+EbC+nzLcVnjKmjzPtjbFEnOf3Sa
 UyFA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:sender:date:from:to:subject:message-id
 :references:mime-version:content-disposition
 :content-transfer-encoding:in-reply-to;
 bh=C+ssE1bpgjpp4mdLa1W0oel1DnDblCKcR+44pAo1uMA=;
 b=OCA51ijCT/ILnqfxaSdowINowPbavIhjc9hvkXvt0h2Tyls/s/dssV60LpIq70P7C5
 sGkTfyHhRWUy31wzZE7D9TAiIA1g7Z8ZA1COPtmTnEGYHd1gJ7N9xiXuljBKCSslJVHT
 54sOtqCQJ/2KwcrW8+q2i+SDg9SQUAbmX8uoEfwqi3cC2QIQrGvAblD1za4OkPeodbk/
 VOiSeUxFZw1s2B5putuO23GnbXLVeA9zdvNhkXsz7TUKzW5wjfPcYIwx7tRFnwr4Zoxc
 oAzfcVGY7KYNWS9P0xzEQsKLMfAUU5hsjcbztfRw+JFUVJAk2mHnkdL7WGlI8jvT4GRP
 GbwQ==
X-Gm-Message-State: AOAM5333jF/KriApwMB4kV9NEx0phQMn2KxhTjgj1eVMMAm5VkYNYM/8
 rri90LbKmvPxtgv5K1Xje64UHSLV
X-Google-Smtp-Source: ABdhPJwuwQAXj3y+bEHXNetv8YGHhgXEDeJYZXsHIBK5+6sKK7xRYBwp4CmCZzX2DeTfqK9d94hZXw==
X-Received: by 2002:a2e:3304:: with SMTP id d4mr27417130ljc.115.1594632129832; 
 Mon, 13 Jul 2020 02:22:09 -0700 (PDT)
Sender: "Ivan A. Melnikov" <ivan.a.melnikov@gmail.com>
Date: Mon, 13 Jul 2020 13:22:07 +0400
From: "Ivan A. Melnikov" <iv@altlinux.org>
To: ALT Linux Team development discussions <devel@lists.altlinux.org>
Message-ID: <20200713092207.lmmzssrobbcgfv43@titan.localdomain>
References: <c574783b-a9f9-1c59-80b4-589928f6c5dc@altlinux.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <c574783b-a9f9-1c59-80b4-589928f6c5dc@altlinux.org>
Subject: Re: [devel] =?utf-8?q?kerberos_plugins_=D0=B8_rebuild?=
X-BeenThere: devel@lists.altlinux.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: ALT Linux Team development discussions <devel@lists.altlinux.org>
List-Id: ALT Linux Team development discussions <devel.lists.altlinux.org>
List-Unsubscribe: <https://lists.altlinux.org/mailman/options/devel>,
 <mailto:devel-request@lists.altlinux.org?subject=unsubscribe>
List-Archive: <http://lists.altlinux.org/pipermail/devel>
List-Post: <mailto:devel@lists.altlinux.org>
List-Help: <mailto:devel-request@lists.altlinux.org?subject=help>
List-Subscribe: <https://lists.altlinux.org/mailman/listinfo/devel>,
 <mailto:devel-request@lists.altlinux.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Jul 2020 09:22:13 -0000
Archived-At: <http://lore.altlinux.org/devel/20200713092207.lmmzssrobbcgfv43@titan.localdomain/>
List-Archive: <http://lore.altlinux.org/devel/>
List-Post: <mailto:devel@altlinux.org>

On Mon, Jul 13, 2020 at 11:42:52AM +0300, Stanislav Levin wrote:
> Доброго дня.
> 
> 
> Было анонсирован приход krb5 1.18 в сизифе [0].
> 
> Появление новой версии вызвало проблему для FreeIPA:
> 
> 
> krb5 плагин определен в krb5.conf :
> 
> [plugins]
>  certauth = {
>   module = ipakdb:kdb/ipadb.so
>   enable_only = ipakdb
>  }
> 
> 
> # kdb5_util create -s -r IPA.TEST
> Loading random data
> Initializing database '/var/lib/kerberos/krb5kdc/principal' for realm
> 'IPA.TEST',
> master key name 'K/M@IPA.TEST'
> You will be prompted for the database Master Password.
> It is important that you NOT FORGET this password.
> Enter KDC database master key:
> Re-enter KDC database master key to verify:
> kdb5_util: Database module does not match KDC version while creating
> database '/var/lib/kerberos/krb5kdc/principal'
> 
> 
> Для этого плагина реализация отличается в зависимости от
> KRB5_KDB_DAL_MAJOR_VERSION.
> 
> git log -p -G KRB5_KDB_DAL_ upstream/krb5-1.17..upstream/krb5-1.18
> 
> -#define KRB5_KDB_DAL_MAJOR_VERSION 7
> +#define KRB5_KDB_DAL_MAJOR_VERSION 8
> 
> 
> Уверен, что просто rebuild для freeipa исправит проблему.
> 
> Вопрос: не нужно ли это было сделать при сборке krb5? могут быть еще
> пострадавшие.

Из плагинов kdb зацепить могло только freipa, так как
самбу я с новым libkrb5 пересобрал (и sin@ потестировал).
Других плагинов kdb в Сизифе, кажется, нет:

[13:16:03 ~]$ grep '/usr/lib64/krb5/plugins/kdb/'  /srv/mirrors/alt/Sisyphus/{x86_64,noarch}/base/contents_index
/srv/mirrors/alt/Sisyphus/x86_64/base/contents_index:/usr/lib64/krb5/plugins/kdb/db2.so libkrb5
/srv/mirrors/alt/Sisyphus/x86_64/base/contents_index:/usr/lib64/krb5/plugins/kdb/ipadb.so       freeipa-server
/srv/mirrors/alt/Sisyphus/x86_64/base/contents_index:/usr/lib64/krb5/plugins/kdb/kldap.so       libkrb5-ldap
/srv/mirrors/alt/Sisyphus/x86_64/base/contents_index:/usr/lib64/krb5/plugins/kdb/klmdb.so       libkrb5
/srv/mirrors/alt/Sisyphus/x86_64/base/contents_index:/usr/lib64/krb5/plugins/kdb/samba.so       samba-dc-libs

Я почему-то искренне верил что все клиенты и плагины
libkdb5 с ней линкуются, и значит сборочница напомнет
мне их пересобрать -- у этой библиотеки сменился
soname.

-- 
  wbr,
    iv m.