How to configure advanced kadmind logging in Solaris

After some experimenting and looking at source I've determined that the kadmind does have support for rotating its own log that is separate from the krb5kdc log (by default the kadmind logs to the log used by krb5kdc). To configure this, edit /etc/krb5/krb5.conf and add:
                                                                                                   
        admin_server = FILE:/var/krb5/kadmin.log                                                                        
        admin_server_rotate = {                                                                                         
                period = 1d                                                                                             
                versions = 10                                                                                           
        }                                                                                                               
in the [logging] section. Unfortunately, this is not documented properly in the krb5.conf man page but it basically works the same as the kdc_rotate parameter which is documented in man krb5.conf.
Note, to configure both the kdc and kadmind logging behavior to log to separate files, use something like:
                                                                                    
[logging]                                                                                                               
# commenting out default so kadmind will log to a separate file                                                         
#        default = FILE:/var/krb5/kdc.log                                                                               
        kdc = FILE:/var/krb5/kdc.log                                                                                    
        kdc_rotate = {                                                                                                  
                                                                                                                        
# How often to rotate kdc.log. Logs will get rotated no more                                                            
# often than the period, and less often if the KDC is not used                                                          
# frequently.                                                                                                           
                                                                                                                        
                period = 1d                                                                                             
                                                                                                                        
# how many versions of kdc.log to keep around (kdc.log.0, kdc.log.1, ...)                                               
                                                                                                                        
                versions = 10                                                                                           
        }                                                                                                               
                                                                                                                        
# controls kadmind logging                                                                                              
        admin_server = FILE:/var/krb5/kadmin.log                                                                        
        admin_server_rotate = {                                                                                         
                period = 1d                                                                                             
                versions = 10                                                                                           
        }                                                                                                               
This is the supported way to rotate the krb5kdc and kadmind logs. Also note that the kdc.conf man page is in error regarding the logging section. Use krb5.conf to control KDC logging instead.
Comments:

Post a Comment:
Comments are closed for this entry.
About

user12615206

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today