Samba and krb5.conf

Fri Apr 17 15:02:47 MDT 2015

On Fri, Apr 17, 2015 at 1:09 PM, Kenny Dinh <kdinh at peaxy.net> wrote:
> Greeting,
>
> We are using Samba 4.1.13 on CentOS and was having issue authenticating
> user that was created in a subdomain.
>
> We found out that another application had updated the /etc/krb5.conf to
> match its need, and Samba was not happy about it.  When we deleted the
> /etc/krb5.conf, Samba was able to authenticate user from a subdomain
> (smbclient //localhost/share -U<subdomain>\\<user>%<password>)
>
> Note that SAMBA4_USES_HEIMDAL was not defined.
> This is my smb.conf
>
> # net conf list
> [global]
> idmap config *:backend = tdb
> idmap config *:range = 1000000-100000000
> idmap config *:script = /usr/mydir/bin/idmap
> workgroup = REPUBLIC
> realm = REPUBLIC.WINDC
> security = ads
> netbios name = testbox1
> log level = 10
>
> [blah]
> path = /
> comment = sdakjhkjh
> guest ok = no
> read only = no
> browseable = yes
>
> I noticed that the code path went
> through create_local_private_krb5_conf_for_domain() function and created
> its own krb5.conf.  Toward the end of the function, the code also set the
> KRB5_CONFIG environment variable to "
> /var/lib/samba/smb_krb5/krb5.conf.REPUBLIC"
>
> Here's a snippet of the log:
> /var/log/samba/log.smbd:[2015/04/17 10:19:25.083196,  5, pid=9003,
> effective(0, 0), real(0, 0)]
> ../source3/libads/kerberos.c:925(create_local_private_krb5_conf_for_domain)
> /var/log/samba/log.smbd:  create_local_private_krb5_conf_for_domain: wrote
> file /var/lib/samba/smb_krb5/krb5.conf.REPUBLIC with realm REPUBLIC.WINDC
> KDC list = kdc = 10.0.3.1
>
> I searched through samba code for krb5.conf and found that
> "krb5_config_file" in source4\heimdal\lib\krb5\constants.c seems to be the
> only place that make use of krb5.conf files location.  Also the function
> where "krb5_config_file" is used in krb5_init_context() defined in
> source4\heimdal\lib\krb5\context.c.  However, it seems that the code was
> never executed.  I place additional DEBUG message in that code path but
> none appear.
>
> This is the variable I was referring to.
> KRB5_LIB_VARIABLE const char *krb5_config_file =
>
> It seems Samba expects the default location for krb5.conf to be located at
> /etc/krb5.conf.  However, I couldn't find the location in the code where
> Samba is looking for /etc/krb5.conf.  Another thing that confuses me is why
> does Samba look into /etc/krb5.conf when it was already creating its own
> krb5.conf file.
>
> My goal is to prevent Samba from looking at /etc/krb5.conf to avoid
> conflicts between Samba and any other applications that would modify
> /etc/krb5.conf.
>
> Could someone point me to the code to do that?

It's likely the kerberos libraries that are looking in that file.
Samba really works best if you tell it to use DNS to look up services
and realms, so an empty krb5.conf file works.

However, if you need a krb5.conf for another application, is it
possible to run that application in a jail or container?

Alternatively, you might have to make the kerberos libraries linked to
Samba use a different location or not use krb5.conf.

-- 
Regards,
Richard Sharpe
(何以解憂？唯有杜康。--曹操)