I've done a manual interactive install `sudo apt install krb5-config`
and dumped the config values like so
printf '\ec'; sudo debconf-get-selections | grep -i krb5-config
Notibly, the `krb5-config/kerberos_servers` and
`krb5-config/admin_server` are both empty strings from
debconf-get-selections, that seems incorrect to me. Anyway,
i correct the blank entries and prepended each like with `d-i ` and
plopped it into my preseed file like so, krb5-config inherited by the
libpam-krb5 package dependency chain.
# ...
d-i pkgsel/include string [...] libpam-krb5 libpam-ccreds
d-i pkgsel/upgrade select full-upgrade
# Auth
d-i krb5-config/add_servers_realm string KDC.EXAMPLE.ORG
d-i krb5-config/add_servers boolean true
d-i krb5-config/read_conf boolean true
d-i krb5-config/kerberos_serversstring example
d-i krb5-config/admin_serverstring example
d-i krb5-config/default_realm string KDC.EXAMPLE.ORG
# ...
where `example` resolves to my primary kdc and admin server.
In this case I've tried with `krb5-config/read_conf` set to `true` and
`false`. Both cases the resulting installation's `/etc/krb5.conf` has
the default_realm populated correctly, but the custom ream has not
been added.
It was my understanding that supply debconf values ahead of time would
behave exactly like supplying them when prompted interactively. This
appears to be inconsistent.
This bug thread is the closest thing I've found to a lead; while I
could handle the realm addition as a postinstall rind replace It seems
like there is indeed a bug in how krb5-config determines if it should
add a realm, I assumed
krb5-configkrb5-config/add_serversbooleantrue
is pretty darn clear that server should be added and under the ream
declared for this purpose
krb5-configkrb5-config/add_servers_realmstring KDC.EXAMPLE.ORG
If nothing else it should be a bug that debconf's selections don't
remember user provided values, and that declaring theses values can be
ignored in a matter unlike the interactive prompt.
I took a peak at the `kerberos-configs-2.3/krb5-config.in` script,
admittedly I don't speak perl. I see a lot of confusing logic
operations, guessing a domain appears to be the primary operation. And
the literal realm addition seem to be held behind a cascade of
confusing-to-me subroutines, and I'm not really sure how to approach
debugging this script. As an uniformed observer trying to use the
software I suggest considering an explicit "add the thing" debconf key
boolean key, and an explciit "dont guess" boolean key so we can deploy
realm membership automatically
# For example, I feel were missing something like this:
krb5-configkrb5-config/add_realm boolean true
krb5-configkrb5-config/attempt_guess boolean false
Although this is still a confusing interface to me as now there are
multiple "please add the thing" keys that must be true for the thing
to be added, there should be one and only one obvious way to get your
realm added to the config with native machinery; I dont know, is there
a good way to respect the `krb5-config/add_servers` key? Maybe an
"attempt_guess boolean false" would be enough?
I'm really not sure how to proceed. Is this a bug that can get fixed
or do I need to develop a workaround and not use the Debian packaging
tooling that I'm so fond of.
Thank you for all your great work <3
