Samba and krb5.conf

Fri Apr 17 15:16:40 MDT 2015

Richard,

It is possible to run the conflicting application in a container, but I
cannot prevent future applications.

I will look into the alternative method, make the kerberos libraries linked
to Samba use a different location of krb5.conf rather than /etc/krb5.conf.
I have been looking at the wrong place all this time.

Thanks for the pointer!
~Kenny

On Fri, Apr 17, 2015 at 2:02 PM, Richard Sharpe <realrichardsharpe at gmail.com
> wrote:

> On Fri, Apr 17, 2015 at 1:09 PM, Kenny Dinh <kdinh at peaxy.net> wrote:
> > Greeting,
> >
> > We are using Samba 4.1.13 on CentOS and was having issue authenticating
> > user that was created in a subdomain.
> >
> > We found out that another application had updated the /etc/krb5.conf to
> > match its need, and Samba was not happy about it.  When we deleted the
> > /etc/krb5.conf, Samba was able to authenticate user from a subdomain
> > (smbclient //localhost/share -U<subdomain>\\<user>%<password>)
> >
> > Note that SAMBA4_USES_HEIMDAL was not defined.
> > This is my smb.conf
> >
> > # net conf list
> > [global]
> > idmap config *:backend = tdb
> > idmap config *:range = 1000000-100000000
> > idmap config *:script = /usr/mydir/bin/idmap
> > workgroup = REPUBLIC
> > realm = REPUBLIC.WINDC
> > security = ads
> > netbios name = testbox1
> > log level = 10
> >
> > [blah]
> > path = /
> > comment = sdakjhkjh
> > guest ok = no
> > read only = no
> > browseable = yes
> >
> > I noticed that the code path went
> > through create_local_private_krb5_conf_for_domain() function and created
> > its own krb5.conf.  Toward the end of the function, the code also set the
> > KRB5_CONFIG environment variable to "
> > /var/lib/samba/smb_krb5/krb5.conf.REPUBLIC"
> >
> > Here's a snippet of the log:
> > /var/log/samba/log.smbd:[2015/04/17 10:19:25.083196,  5, pid=9003,
> > effective(0, 0), real(0, 0)]
> >
> ../source3/libads/kerberos.c:925(create_local_private_krb5_conf_for_domain)
> > /var/log/samba/log.smbd:  create_local_private_krb5_conf_for_domain:
> wrote
> > file /var/lib/samba/smb_krb5/krb5.conf.REPUBLIC with realm REPUBLIC.WINDC
> > KDC list = kdc = 10.0.3.1
> >
> > I searched through samba code for krb5.conf and found that
> > "krb5_config_file" in source4\heimdal\lib\krb5\constants.c seems to be
> the
> > only place that make use of krb5.conf files location.  Also the function
> > where "krb5_config_file" is used in krb5_init_context() defined in
> > source4\heimdal\lib\krb5\context.c.  However, it seems that the code was
> > never executed.  I place additional DEBUG message in that code path but
> > none appear.
> >
> > This is the variable I was referring to.
> > KRB5_LIB_VARIABLE const char *krb5_config_file =
> >
> > It seems Samba expects the default location for krb5.conf to be located
> at
> > /etc/krb5.conf.  However, I couldn't find the location in the code where
> > Samba is looking for /etc/krb5.conf.  Another thing that confuses me is
> why
> > does Samba look into /etc/krb5.conf when it was already creating its own
> > krb5.conf file.
> >
> > My goal is to prevent Samba from looking at /etc/krb5.conf to avoid
> > conflicts between Samba and any other applications that would modify
> > /etc/krb5.conf.
> >
> > Could someone point me to the code to do that?
>
> It's likely the kerberos libraries that are looking in that file.
> Samba really works best if you tell it to use DNS to look up services
> and realms, so an empty krb5.conf file works.
>
> However, if you need a krb5.conf for another application, is it
> possible to run that application in a jail or container?
>
> Alternatively, you might have to make the kerberos libraries linked to
> Samba use a different location or not use krb5.conf.
>
> --
> Regards,
> Richard Sharpe
> (何以解憂？唯有杜康。--曹操)
>