storing our machine account name in secrets.tdb

Gerald (Jerry) Carter jerry at samba.org
Tue Mar 13 21:09:47 GMT 2007 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Volker Lendecke wrote:

> Gerald (Jerry) Carter wrote:
>> I'll give you an example of what I mean.  Support
>> smbclient tries to connect to a remote CIFS server
>> and gets back a KRB5_ERR_CLOCK_SKEW.  Should it try
>> to sync the system clock somehow?  No.  The operating
> 
> Good example :-)
> 
> Look at libads/kerberos.c:85 :
> 
>   if (time_offset != 0) {
>     krb5_set_real_time(ctx, time(NULL) + time_offset, 0);
>   }
> 
> Why do we do this? This is really a line we have to draw.

I agree.  I think this is a bad hack.  But it is
also transient.

> Either we use the existing services as-is and live with the
> Kerberos bugs/problems or we go and try to find workarounds.
> For example Günther's KDC locator plugin, why is this
> necessary? Why don't we tell people to correctly set up
> their krb5.conf files?

Due to server affinity.  This cannot be hard coded and even
DNS SRV records don't solve it for you.  The locator plugin
allows Samba to communicate with the krb5 libs over a well
defined interface.   If you can find me a well defined
and portable interface for setting the systems hostname,
then I'm cool with that.

> Let me spend some days to code this up. Do you want 
> to watch me while checking it into 3_0 or do you want
> me to work in a bzr tree and present a big patch?

Your call.  I think that prototyping some code is the
best way forward.  It could be less scary than I think :-)

>> PS: I would be much more agreeable to the idea if we
>> were doing our own distro and could actually control
>> the OS to a degree.
> 
> You're not serious here, are you?

I'm dead serious.  Not that we should be doing a distro.
Only that if I were doing a distro and controlled all
the pieces, I would consider putting in local solutions
like this to integrate Samba better with my environment.
But such changes are mostly not portable and therefore
not appropriate for the upstream tree.




cheers, jerry
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFF9xMbIR7qMdg1EfYRAhlrAKCZK5tNl+CifQEjH9xzYhLB0+B7+wCfWDvf
vLUF7sVzJRYfh0HWxYpt2yI=
=u89S
-----END PGP SIGNATURE-----

More information about the samba-technical mailing list