[SCM] SAMBA-CTDB repository - branch v3-2-ctdb updated - 3.2.11-ctdb-63-2-gbd991fc

Michael Adam obnox at samba.org
Wed Aug 26 08:33:11 MDT 2009 

The branch, v3-2-ctdb has been updated
       via  bd991fc0f7eb98cc9ba8fcea34b46aecf1de6019 (commit)
      from  1d87081ae30d4b38b6459e95e206fc9d2fb9498f (commit)

http://gitweb.samba.org/?p=obnox/samba-ctdb.git;a=shortlog;h=v3-2-ctdb


- Log -----------------------------------------------------------------
commit bd991fc0f7eb98cc9ba8fcea34b46aecf1de6019
Author: Volker Lendecke <vl at samba.org>
Date:   Wed Aug 26 14:56:41 2009 +0200

    Add a parameter to disable the automatic creation of krb5.conf files
    
    This is necessary because MIT 1.5 can't deal with certain types (Tree Root) of
    transitive AD trusts. The workaround is to add a [capaths] directive to
    /etc/krb5.conf, which we don't automatically put into the krb5.conf winbind
    creates.
    
    The alternative would have been something like a "krb5 conf include", but I
    think if someone has to mess with /etc/krb5.conf at this level, it should be
    easy to add the site-local KDCs as well.
    
    Next alternative is to correctly figure out the [capaths] parameter for all
    trusted domains, but for that I don't have the time right now. Sorry :-)

-----------------------------------------------------------------------

Summary of changes:
 docs-xml/smbdotconf/winbind/createkrb5conf.xml |   24 ++++++++++++++++++++++++
 source/libads/kerberos.c                       |    7 ++++++-
 source/param/loadparm.c                        |   12 ++++++++++++
 3 files changed, 42 insertions(+), 1 deletions(-)
 create mode 100644 docs-xml/smbdotconf/winbind/createkrb5conf.xml


Changeset truncated at 500 lines:

diff --git a/docs-xml/smbdotconf/winbind/createkrb5conf.xml b/docs-xml/smbdotconf/winbind/createkrb5conf.xml
new file mode 100644
index 0000000..3881824
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/createkrb5conf.xml
@@ -0,0 +1,24 @@
+<samba:parameter name="create krb5 conf"
+	context="G"
+	type="string"
+		 advanced="1" developer="0"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+
+	<para>
+	Setting this paramter to <value type="example">no</value> prevents
+	winbind from creating custom krb5.conf files. Winbind normally does
+	this because the krb5 libraries are not AD-site-aware and thus would
+	pick any domain controller out of potentially very many. Winbind
+	is site-aware and makes the krb5 libraries use a local DC by
+	creating its own krb5.conf files.
+	</para>
+	<para>
+	Preventing winbind from doing this might become necessary if you
+	have to add special options into your system-krb5.conf that winbind
+	does not see.
+	</para>
+
+</description>
+<value type="default">yes</value>
+</samba:parameter>
diff --git a/source/libads/kerberos.c b/source/libads/kerberos.c
index dd89d7c..8b974bc 100644
--- a/source/libads/kerberos.c
+++ b/source/libads/kerberos.c
@@ -839,7 +839,7 @@ bool create_local_private_krb5_conf_for_domain(const char *realm,
 						const char *sitename,
 						struct sockaddr_storage *pss)
 {
-	char *dname = talloc_asprintf(NULL, "%s/smb_krb5", lp_lockdir());
+	char *dname;
 	char *tmpname = NULL;
 	char *fname = NULL;
 	char *file_contents = NULL;
@@ -849,6 +849,11 @@ bool create_local_private_krb5_conf_for_domain(const char *realm,
 	int fd;
 	char *realm_upper = NULL;
 
+	if (!lp_create_krb5_conf()) {
+		return False;
+	}
+
+	dname = talloc_asprintf(NULL, "%s/smb_krb5", lp_lockdir());
 	if (!dname) {
 		return False;
 	}
diff --git a/source/param/loadparm.c b/source/param/loadparm.c
index d711489..441fc62 100644
--- a/source/param/loadparm.c
+++ b/source/param/loadparm.c
@@ -195,6 +195,7 @@ struct global {
 	bool bWinbindOfflineLogon;
 	bool bWinbindNormalizeNames;
 	bool bWinbindRpcOnly;
+	bool bCreateKrb5Conf;
 	char *szIdmapBackend;
 	char *szIdmapAllocBackend;
 	char *szAddShareCommand;
@@ -4445,6 +4446,15 @@ static struct parm_struct parm_table[] = {
 		.enum_list	= NULL,
 		.flags		= FLAG_ADVANCED,
 	},
+	{
+		.label		= "create krb5 conf",
+		.type		= P_BOOL,
+		.p_class	= P_GLOBAL,
+		.ptr		= &Globals.bCreateKrb5Conf,
+		.special	= NULL,
+		.enum_list	= NULL,
+		.flags		= FLAG_ADVANCED,
+	},
 
 	{NULL,  P_BOOL,  P_NONE,  NULL,  NULL,  NULL,  0}
 };
@@ -4740,6 +4750,7 @@ static void init_globals(bool first_time_only)
 #endif
 	Globals.bUnixExtensions = True;
 	Globals.bResetOnZeroVC = False;
+	Globals.bCreateKrb5Conf = true;
 
 	/* hostname lookups can be very expensive and are broken on
 	   a large number of sites (tridge) */
@@ -5061,6 +5072,7 @@ FN_GLOBAL_BOOL(lp_winbind_refresh_tickets, &Globals.bWinbindRefreshTickets)
 FN_GLOBAL_BOOL(lp_winbind_offline_logon, &Globals.bWinbindOfflineLogon)
 FN_GLOBAL_BOOL(lp_winbind_normalize_names, &Globals.bWinbindNormalizeNames)
 FN_GLOBAL_BOOL(lp_winbind_rpc_only, &Globals.bWinbindRpcOnly)
+FN_GLOBAL_BOOL(lp_create_krb5_conf, &Globals.bCreateKrb5Conf)
 
 FN_GLOBAL_CONST_STRING(lp_idmap_backend, &Globals.szIdmapBackend)
 FN_GLOBAL_STRING(lp_idmap_alloc_backend, &Globals.szIdmapAllocBackend)


-- 
SAMBA-CTDB repository

More information about the samba-cvs mailing list