[PATCHES] next MIT Kerberos enablement work patchset
Andrew Bartlett
abartlet at samba.org
Fri Apr 27 18:29:14 MDT 2012
On Fri, 2012-04-27 at 16:45 -0700, Jeremy Allison wrote:
> On Sat, Apr 28, 2012 at 09:40:41AM +1000, Andrew Bartlett wrote:
> >
> > I understand you have concerns about 'samba only' smb.conf files.
> > However, it is reasonable that we only use this file if there is
> > krb5.conf in the same directory as the smb.conf? A client-only
> > configuration would not have this generated by provision. This is only
> > another file prepended to the list of possible config files, not the
> > replacement. It has made Samba4 AD configurations generated by
> > provision much more reliable, which is why it was done.
>
> No, it's a really bad idea long term. There should only be one krb5.conf
> file on the system. I tried to do this in Samba3 as "it seemed to make
> things more reliable for Samba", and it lead to rains of fire and brimstone :-),
> and systems getting royally messed up as people added options in one
> place and not the other.
Given that, I would like to skip Simo's patch, and instead work with him
to have a patch that just uses the default krb5.conf (and handles this
correctly for make test et al) for all build configurations. It will be
important to have some startup assertions or warnings that the key
parameters are correct (such as the default_realm matching the realm in
smb.conf).
I do agree, that having a situation where (for example) you can use
smbclient -k yes but not kinit would be unfortunate and a right pain to
debug.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba-technical
mailing list