Re: [RFR] templates://krb5/{krb5-admin-server.templates,krb5-kdc.templates}
Christian Perrier wrote:
> Your review should be sent as an answer to this mail.
No control-file changes, just some for the templates.
> Template: krb5-admin-server/newrealm
...
> _Description: Setting up a Kerberos Realm
> This package contains the administrative tools necessary to run on the
> Kerberos master server.
Is it the tools that are running, on a particular ("server") host:
This package contains the administrative tools which must run on the
Kerberos master server.
or is it the Kerberos server (ie daemon process) itself?
This package contains the administrative tools required to run the
Kerberos master server.
I'm assuming the latter in my patch.
> Template: krb5-kdc/debconf
...
> Some sites who already have infrastructure to manage their own
> Kerberos configuration will wish to disable any automatic
> configuration changes.
Sites aren't whos, and don't have wishes. Maybe
Administrators who already have infrastructure to manage their
Kerberos configuration may wish to disable these automatic
configuration changes.
> Template: krb5-kdc/run-krb524
...
> _Description: Run a Kerberos5 to Kerberos4 tickets conversion daemon?
> Krb524d is a daemon that converts Kerberos5 tickets into Kerberos4 tickets
> for the krb524init program.
> .
> It is recommended to use that daemon if Kerberos4 is enabled, more
> particularly when the Kerberos4 compatibility is set to 'nopreauth'
_Description: Run a Kerberos5 to Kerberos4 ticket conversion daemon?
Krb524d is a daemon that converts Kerberos5 tickets into Kerberos4 tickets
for the krb524init program.
.
It is recommended to use this daemon if Kerberos4 is enabled,
especially when Kerberos4 compatibility is set to 'nopreauth'.
--
JBR
Ankh kak! (Ancient Egyptian blessing)
--- ../krb5.old/debian/krb5-admin-server.templates 2007-05-22 20:39:42.000000000 +0100
+++ debian/krb5-admin-server.templates 2007-05-26 18:30:42.000000000 +0100
@@ -1,22 +1,22 @@
Template: krb5-admin-server/newrealm
Type: note
_Description: Setting up a Kerberos Realm
- This package contains the administrative tools necessary to run on the
- Kerberos master server. However, installing this package does not
- automatically set up a Kerberos realm. Doing so requires entering
- passwords and as such is not well-suited for package installation. To
- create the realm, run the krb5_newrealm command. You may also wish to read
- /usr/share/doc/krb5-kdc/README.KDC and the administration guide found in
- the krb5-doc package.
+ This package contains the administrative tools required to run the
+ Kerberos master server.
.
- Don't forget to set up DNS information so your clients can find your KDC
- and admin servers. Doing so is documented in the administration guide.
+ However, installing this package does not automatically set up a
+ Kerberos realm. This can be done later by running the 'krb5_newrealm'
+ command.
+ .
+ Please also read the /usr/share/doc/krb5-kdc/README.KDC file
+ and the administration guide found in the krb5-doc package.
Template: krb5-admin-server/kadmind
Type: boolean
Default: true
_Description: Run the Kerberos5 administration daemon (kadmind)?
Kadmind serves requests to add/modify/remove principals in the
- Kerberos database. It also must be running for the kpasswd program
- to be used to change passwords. Normally, this daemon runs on the
- master KDC.
+ Kerberos database.
+ .
+ It is required by the kpasswd program, used to change passwords.
+ With standard setups, this daemon should run on the master KDC.
--- ../krb5.old/debian/krb5-kdc.templates 2007-05-22 20:39:42.000000000 +0100
+++ debian/krb5-kdc.templates 2007-05-26 18:32:41.000000000 +0100
@@ -1,34 +1,40 @@
Template: krb5-kdc/debconf
Type: boolean
Default: true
-_Description: Create Kerberos KDC Configuration with debconf?
- Many sites will wish to have this script automatically create Kerberos KDC
- configuration files in /etc/krb5kdc. By default an example template will
- be copied into this directory with local parameters filled in. Some sites
- who already have infrastructure to manage their own Kerberos configuration
- will wish to disable any automatic configuration changes.
+_Description: Create the Kerberos KDC configuration automatically?
+ The Kerberos Domain Controller (KDC) configuration files, in
+ /etc/krb5kdc, may be created automatically.
+ .
+ By default, an example template will be copied into this directory
+ with local parameters filled in.
+ .
+ Administrators who already have infrastructure to manage their
+ Kerberos configuration may wish to disable these automatic
+ configuration changes.
Template: krb5-kdc/krb4-mode
Type: select
-_Choices: disable, full, nopreauth, none
+__Choices: disable, full, nopreauth, none
Default: none
_Description: Kerberos4 compatibility mode to use:
- By default, Kerberos4 requests are allowed from principals that do not
- require preauthentication. This allows Kerberos4 services to exist while
- requiring most users to use Kerberos5 clients to get their initial
- tickets. These tickets can then be converted to Kerberos4 tickets.
- Alternatively, the mode can be set to full, allowing Kerberos4 to get
- initial tickets even when preauthentication would normally be required, or
- to disable, which will disable all Kerberos4 support.
+ By default, Kerberos4 requests are allowed from principals that do
+ not require preauthentication ('nopreauth'). This allows Kerberos4
+ services to exist while requiring most users to use Kerberos5 clients
+ to get their initial tickets. These tickets can then be converted to
+ Kerberos4 tickets.
+ .
+ Alternatively, the mode can be set to 'full', allowing Kerberos4 to
+ get initial tickets even when preauthentication would normally be
+ required, or to 'disable', which will disable all Kerberos4 support.
Template: krb5-kdc/run-krb524
Type: boolean
-_Description: Run a krb524d?
+_Description: Run a Kerberos5 to Kerberos4 ticket conversion daemon?
Krb524d is a daemon that converts Kerberos5 tickets into Kerberos4 tickets
- for the krb524init program. If you have Kerberos4 enabled at all, then
- you probably want to run this program. Especially when Kerberos4
- compatibility is set to nopreauth, krb524d is important if you have any
- Kerberos4 services.
+ for the krb524init program.
+ .
+ It is recommended to use this daemon if Kerberos4 is enabled,
+ especially when the Kerberos4 compatibility is set to 'nopreauth'.
Template: krb5-kdc/purge_data_too
Type: boolean
@@ -36,6 +42,7 @@
_Description: Should the data be purged as well as the package files?
By default, purging this package will not delete the KDC database in
/var/lib/krb5kdc/principal since this database cannot be recovered once
- it is deleted. If you wish to delete your KDC database when this package
- is purged, knowing that purging this package will then mean deleting all
- of the user accounts and passwords in the KDC, enable this option.
+ it is deleted.
+ .
+ Choose this option if you wish to delete the KDC database when this package
+ is purged, deleting all of the user accounts and passwords in the KDC.
Template: krb5-admin-server/newrealm
Type: note
_Description: Setting up a Kerberos Realm
This package contains the administrative tools required to run the
Kerberos master server.
.
However, installing this package does not automatically set up a
Kerberos realm. This can be done later by running the 'krb5_newrealm'
command.
.
Please also read the /usr/share/doc/krb5-kdc/README.KDC file
and the administration guide found in the krb5-doc package.
Template: krb5-admin-server/kadmind
Type: boolean
Default: true
_Description: Run the Kerberos5 administration daemon (kadmind)?
Kadmind serves requests to add/modify/remove principals in the
Kerberos database.
.
It is required by the kpasswd program, used to change passwords.
With standard setups, this daemon should run on the master KDC.
Template: krb5-kdc/debconf
Type: boolean
Default: true
_Description: Create the Kerberos KDC configuration automatically?
The Kerberos Domain Controller (KDC) configuration files, in
/etc/krb5kdc, may be created automatically.
.
By default, an example template will be copied into this directory
with local parameters filled in.
.
Administrators who already have infrastructure to manage their
Kerberos configuration may wish to disable these automatic
configuration changes.
Template: krb5-kdc/krb4-mode
Type: select
__Choices: disable, full, nopreauth, none
Default: none
_Description: Kerberos4 compatibility mode to use:
By default, Kerberos4 requests are allowed from principals that do
not require preauthentication ('nopreauth'). This allows Kerberos4
services to exist while requiring most users to use Kerberos5 clients
to get their initial tickets. These tickets can then be converted to
Kerberos4 tickets.
.
Alternatively, the mode can be set to 'full', allowing Kerberos4 to
get initial tickets even when preauthentication would normally be
required, or to 'disable', which will disable all Kerberos4 support.
Template: krb5-kdc/run-krb524
Type: boolean
_Description: Run a Kerberos5 to Kerberos4 ticket conversion daemon?
Krb524d is a daemon that converts Kerberos5 tickets into Kerberos4 tickets
for the krb524init program.
.
It is recommended to use this daemon if Kerberos4 is enabled,
especially when the Kerberos4 compatibility is set to 'nopreauth'.
Template: krb5-kdc/purge_data_too
Type: boolean
Default: false
_Description: Should the data be purged as well as the package files?
By default, purging this package will not delete the KDC database in
/var/lib/krb5kdc/principal since this database cannot be recovered once
it is deleted.
.
Choose this option if you wish to delete the KDC database when this package
is purged, deleting all of the user accounts and passwords in the KDC.
Reply to: