[PATCHES] next MIT Kerberos enablement work patchset

simo idra at samba.org
Sat Apr 28 06:58:50 MDT 2012


On Sat, 2012-04-28 at 10:29 +1000, Andrew Bartlett wrote: 
> On Fri, 2012-04-27 at 16:45 -0700, Jeremy Allison wrote:
> > On Sat, Apr 28, 2012 at 09:40:41AM +1000, Andrew Bartlett wrote:
> > > 
> > > I understand you have concerns about 'samba only' smb.conf files.
> > > However, it is reasonable that we only use this file if there is
> > > krb5.conf in the same directory as the smb.conf?  A client-only
> > > configuration would not have this generated by provision.  This is only
> > > another file prepended to the list of possible config files, not the
> > > replacement.  It has made Samba4 AD configurations generated by
> > > provision much more reliable, which is why it was done.
> > 
> > No, it's a really bad idea long term. There should only be one krb5.conf
> > file on the system. I tried to do this in Samba3 as "it seemed to make
> > things more reliable for Samba", and it lead to rains of fire and brimstone :-),
> > and systems getting royally messed up as people added options in one
> > place and not the other.
> 
> Given that, I would like to skip Simo's patch, and instead work with him
> to have a patch that just uses the default krb5.conf (and handles this
> correctly for make test et al) for all build configurations.  It will be
> important to have some startup assertions or warnings that the key
> parameters are correct (such as the default_realm matching the realm in
> smb.conf).
> 
> I do agree, that having a situation where (for example) you can use
> smbclient -k yes but not kinit would be unfortunate and a right pain to
> debug. 

We can work on properly solving the problem later.
At the moment the kerberos work is concentrated on consolidating the
stuff used ion order to make dependencies saner and on the client side
that never runs provision. Once we get to start dealing with the server
side I will be able to spend time in that direction.
If you want to start something on top of this patch (which is needed to
compile as you use Heimdal specific functions) I will give my feedback.
But at the moment I need to push this one is as is and defer additional
work to later. It's not like this part can be forgotten, as I pointed
out earlier, there are all these ifdefs guards that remind you work
needs to be done.

Simo.

-- 
Simo Sorce
Samba Team GPL Compliance Officer <simo at samba.org>
Principal Software Engineer at Red Hat, Inc. <simo at redhat.com>



More information about the samba-technical mailing list