Samba and krb5.conf

Kenny Dinh kdinh at peaxy.net
Fri Apr 17 14:09:32 MDT 2015


Greeting,

We are using Samba 4.1.13 on CentOS and was having issue authenticating
user that was created in a subdomain.

We found out that another application had updated the /etc/krb5.conf to
match its need, and Samba was not happy about it.  When we deleted the
/etc/krb5.conf, Samba was able to authenticate user from a subdomain
(smbclient //localhost/share -U<subdomain>\\<user>%<password>)

Note that SAMBA4_USES_HEIMDAL was not defined.
This is my smb.conf

# net conf list
[global]
idmap config *:backend = tdb
idmap config *:range = 1000000-100000000
idmap config *:script = /usr/mydir/bin/idmap
workgroup = REPUBLIC
realm = REPUBLIC.WINDC
security = ads
netbios name = testbox1
log level = 10

[blah]
path = /
comment = sdakjhkjh
guest ok = no
read only = no
browseable = yes

I noticed that the code path went
through create_local_private_krb5_conf_for_domain() function and created
its own krb5.conf.  Toward the end of the function, the code also set the
KRB5_CONFIG environment variable to "
/var/lib/samba/smb_krb5/krb5.conf.REPUBLIC"

Here's a snippet of the log:
/var/log/samba/log.smbd:[2015/04/17 10:19:25.083196,  5, pid=9003,
effective(0, 0), real(0, 0)]
../source3/libads/kerberos.c:925(create_local_private_krb5_conf_for_domain)
/var/log/samba/log.smbd:  create_local_private_krb5_conf_for_domain: wrote
file /var/lib/samba/smb_krb5/krb5.conf.REPUBLIC with realm REPUBLIC.WINDC
KDC list = kdc = 10.0.3.1

I searched through samba code for krb5.conf and found that
"krb5_config_file" in source4\heimdal\lib\krb5\constants.c seems to be the
only place that make use of krb5.conf files location.  Also the function
where "krb5_config_file" is used in krb5_init_context() defined in
source4\heimdal\lib\krb5\context.c.  However, it seems that the code was
never executed.  I place additional DEBUG message in that code path but
none appear.

This is the variable I was referring to.
KRB5_LIB_VARIABLE const char *krb5_config_file =

It seems Samba expects the default location for krb5.conf to be located at
/etc/krb5.conf.  However, I couldn't find the location in the code where
Samba is looking for /etc/krb5.conf.  Another thing that confuses me is why
does Samba look into /etc/krb5.conf when it was already creating its own
krb5.conf file.

My goal is to prevent Samba from looking at /etc/krb5.conf to avoid
conflicts between Samba and any other applications that would modify
/etc/krb5.conf.

Could someone point me to the code to do that?

Thank you!


More information about the samba-technical mailing list