Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

kadmin.local: unable to get default realm #1562

Open
jwadodson opened this issue Oct 16, 2024 · 4 comments
Open

kadmin.local: unable to get default realm #1562

jwadodson opened this issue Oct 16, 2024 · 4 comments

Comments

@jwadodson
Copy link

Describe the bug
On Fedora 40 the new (312) version of lynis outputs the message,

    kadmin.local: unable to get default realm

This occurs during the Kerberos section but is not affected by "2>&1" redirection,
so goes to the "terminal" or preceding/calling process output (eg. in my case cron).
I assume it's coming directly from the kadmin.local binary so there probably needs
to be a test of krb config before this is called & not called at all under conditions
where krb is not used.
However I'm sure there could be circumstances where a bad actor might hide a krb
config & potentially use it for secure channels/auth.

Version

  • Distribution Fedora 40 (fc40)
  • Lynis version 3.1.2-1.fc40

Expected behavior
The (error?) message should be appropriately directed, & able to be redirected, when
kadmin.local is being called from within lynis.

In my case where there is no krb config it should probably not occur.
ie. an attempt to get the "default realm" will fail & so probably should not even be
attempted.

Output
kadmin.local: unable to get default realm

Additional context
Followed the 312 version install on FC40 after the "grep usage" messages were fixed.

pyllyukko added a commit to pyllyukko/lynis that referenced this issue Dec 18, 2024
kadmin.local binary might exist, even though Kerberos is not configured
and /etc/krb5.conf does not exist.
@pyllyukko
Copy link
Contributor

Try #1562. Apparently it prints the line only once?

@jwadodson
Copy link
Author

Try #1562? I'm not sure what you mean by that?
(Isn't this #1562?)
Obviously we are waiting for a new version to make it into FC41 now.
Which is a matter of packaging it seems.

@jwadodson
Copy link
Author

See https://bugzilla.redhat.com/show_bug.cgi?id=2332730
for the packaging request.

@pyllyukko
Copy link
Contributor

Try #1562? I'm not sure what you mean by that?
(Isn't this #1562?)
Obviously we are waiting for a new version to make it into FC41 now.
Which is a matter of packaging it seems.

Oops. I meant #1589.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants