Krb5 servers writing to old rotated log files
Hi folks,
On all of the Debian squeeze servers with Kerberos (v1.8.3) that I
manage, I've noticed that the Kerberos daemons start out writing to
their designated log files, e.g. kdc.log, but once those log files are
rotated they ignore the new empty ones and instead prefer to write
only to the first rotated files, e.g. kdc.log.1. This is the case for
both the krb5kdc and kadmin daemons.
If I restart the Kerberos daemons manually, they start writing to the
correct log files. But, the next day, after the log files have been
rotated, the new ones are empty and the daemons are still writing to
the day-old ones.
Has anyone else seen this behavior before?
This is how my /etc/krb5.conf files are configured for logging:
[logging]
kdc = FILE:/var/log/krb5/kdc.log
admin_server = FILE:/var/log/krb5/kadmin.log
default = FILE:/var/log/krb5/klib.log
I use this /etc/logrotate.d/krb5 file for rotating those log files:
/var/log/krb5/kadmin.log /var/log/krb5/kdc.log /var/log/krb5/klib.log {
daily
missingok
rotate 7
compress
delaycompress
notifempty
}
In my case, a consequence of using notifempty is that the Kerberos
log files are not rotated regularly and grow a bit larger than expected.
Am I missing something, have I made a mistake somewhere, or is this a bug?
Thanks,
Jaap
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Krb5 servers writing to old rotated log files
JW == Jaap Winius jwin...@umrk.nl writes:
JW Hi folks, On all of the Debian squeeze servers with Kerberos
JW (v1.8.3) that I manage, I've noticed that the Kerberos daemons start
JW out writing to their designated log files, e.g. kdc.log, but once
JW those log files are rotated they ignore the new empty ones and
JW instead prefer to write only to the first rotated files,
JW e.g. kdc.log.1.
Well, I'm sure they just keep logging to the files they have open. The
fact that you changed the names of those files doesn't have any bearing
on that.
You need to send -HUP to the daemons to get them to close and reopen
their logs. I would expect most Linux distributions to do this for you;
for example, Fedora has snippets in /etc/logrotate.d:
/var/log/kadmind.log {
missingok
notifempty
monthly
rotate 12
postrotate
/bin/kill -HUP `cat /var/run/kadmind.pid 2/dev/null` 2 /dev/null ||
true
endscript
}
/var/log/krb5kdc.log {
missingok
notifempty
monthly
rotate 12
postrotate
/bin/kill -HUP `cat /var/run/krb5kdc.pid 2/dev/null` 2 /dev/null ||
true
endscript
}
- J
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
Re: Krb5 servers writing to old rotated log files
Quoting Jason L Tibbitts III ti...@math.uh.edu: You need to send -HUP to the daemons to get them to close and reopen their logs. Doh! The fact is, it isn't always necessary to do that (e.g. for Exim) and I just happened to use one of those logrotate files as an example without checking any others. Thanks! Jaap Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
BUG Report : 'krb5.ini' not found on Windows.
Hello, Configuration Windows 2008 R2 (Service Pack 1) workstation. I am having this problem on my machine and am not able to figure out what is the root cause. The scenario seems with Terminal Services installed on the system and when the authentication has to be done via the LDAP over the local network. This BUG has been logged with ORACLE-JAVA at http://bugs.sun.com/view_bug.do?bug_id=6793475 and they have already provided with a work around. My Query is: 1. What is the reason behind this bug. I need to know the root cause for this. 2. What should be my steps (apart from the workaround provided with the bug resolution) so as to prevent any future re-occurrences? ie I need a fix. 3. Can it be related to the version changes of Kerberos or is it because of Windows 2008? Thanks Regards, Onkesh Bansal Engineer-1 QA, Quark Media House (P) Ltd. oban...@quark.com Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: BUG Report : 'krb5.ini' not found on Windows.
Application specific configuration files do not belong in \WINDOWS. The correct place for krb5.ini is \ProgramData\Kerberos\krb5.ini which requires that the environment variable KRB5_CONFIG be set to refer to that file. I do not know whether or not Java will pay attention to the environment variable. Jeffrey Altman On 5/17/2011 6:53 AM, Onkesh Bansal wrote: Hello, Configuration Windows 2008 R2 (Service Pack 1) workstation. I am having this problem on my machine and am not able to figure out what is the root cause. The scenario seems with Terminal Services installed on the system and when the authentication has to be done via the LDAP over the local network. This BUG has been logged with ORACLE-JAVA at http://bugs.sun.com/view_bug.do?bug_id=6793475 and they have already provided with a work around. My Query is: 1. What is the reason behind this bug. I need to know the root cause for this. 2. What should be my steps (apart from the workaround provided with the bug resolution) so as to prevent any future re-occurrences? ie I need a fix. 3. Can it be related to the version changes of Kerberos or is it because of Windows 2008? Thanks Regards, Onkesh Bansal Engineer-1 QA, Quark Media House (P) Ltd. oban...@quark.com Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos signature.asc Description: OpenPGP digital signature Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: BUG Report : 'krb5.ini' not found on Windows.
On 5/17/2011 5:53 AM, Onkesh Bansal wrote: Hello, Configuration Windows 2008 R2 (Service Pack 1) workstation. I am having this problem on my machine and am not able to figure out what is the root cause. The scenario seems with Terminal Services installed on the system and when the authentication has to be done via the LDAP over the local network. This BUG has been logged with ORACLE-JAVA at http://bugs.sun.com/view_bug.do?bug_id=6793475 and they have already provided with a work around. My Query is: 1. What is the reason behind this bug. I need to know the root cause for this. This is not a Kerberos issue, but a Java issue of how Java finds a krb5.conf or krb5.ini on the running system. See: http://download.oracle.com/javase/6/docs/technotes/guides/security/jgss/tutorials/KerberosReq.html As it says, If the system property java.security.krb5.conf is set, its value is assumed to specify the path and file name. So you can add to the comamnd like -Djava.security.krb5.conf=/path.to/krb5.conf It says it then looks in in java-home\lib\security so put it there. After that it gets a little mushy. 2. What should be my steps (apart from the workaround provided with the bug resolution) so as to prevent any future re-occurrences? ie I need a fix. They gave you a fix. 3. Can it be related to the version changes of Kerberos or is it because of Windows 2008? Yes and no. Oracle/Java need to address this issue on every system they run under, including 2008 with terminal server. Note: Windows itself does not use a krb5.ini or krb5.conf, so the location is based on where Oracle/java or some other Kerberos application expect it to be. Thanks Regards, Onkesh Bansal Engineer-1 QA, Quark Media House (P) Ltd. oban...@quark.com Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos -- Douglas E. Engert deeng...@anl.gov Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
