Samba and krb5.conf
kdinh at peaxy.net
Fri Apr 17 15:16:40 MDT 2015
It is possible to run the conflicting application in a container, but I
cannot prevent future applications.
I will look into the alternative method, make the kerberos libraries linked
to Samba use a different location of krb5.conf rather than /etc/krb5.conf.
I have been looking at the wrong place all this time.
Thanks for the pointer!
On Fri, Apr 17, 2015 at 2:02 PM, Richard Sharpe <realrichardsharpe at gmail.com
> On Fri, Apr 17, 2015 at 1:09 PM, Kenny Dinh <kdinh at peaxy.net> wrote:
> > Greeting,
> > We are using Samba 4.1.13 on CentOS and was having issue authenticating
> > user that was created in a subdomain.
> > We found out that another application had updated the /etc/krb5.conf to
> > match its need, and Samba was not happy about it. When we deleted the
> > /etc/krb5.conf, Samba was able to authenticate user from a subdomain
> > (smbclient //localhost/share -U<subdomain>\\<user>%<password>)
> > Note that SAMBA4_USES_HEIMDAL was not defined.
> > This is my smb.conf
> > # net conf list
> > [global]
> > idmap config *:backend = tdb
> > idmap config *:range = 1000000-100000000
> > idmap config *:script = /usr/mydir/bin/idmap
> > workgroup = REPUBLIC
> > realm = REPUBLIC.WINDC
> > security = ads
> > netbios name = testbox1
> > log level = 10
> > [blah]
> > path = /
> > comment = sdakjhkjh
> > guest ok = no
> > read only = no
> > browseable = yes
> > I noticed that the code path went
> > through create_local_private_krb5_conf_for_domain() function and created
> > its own krb5.conf. Toward the end of the function, the code also set the
> > KRB5_CONFIG environment variable to "
> > /var/lib/samba/smb_krb5/krb5.conf.REPUBLIC"
> > Here's a snippet of the log:
> > /var/log/samba/log.smbd:[2015/04/17 10:19:25.083196, 5, pid=9003,
> > effective(0, 0), real(0, 0)]
> > /var/log/samba/log.smbd: create_local_private_krb5_conf_for_domain:
> > file /var/lib/samba/smb_krb5/krb5.conf.REPUBLIC with realm REPUBLIC.WINDC
> > KDC list = kdc = 10.0.3.1
> > I searched through samba code for krb5.conf and found that
> > "krb5_config_file" in source4\heimdal\lib\krb5\constants.c seems to be
> > only place that make use of krb5.conf files location. Also the function
> > where "krb5_config_file" is used in krb5_init_context() defined in
> > source4\heimdal\lib\krb5\context.c. However, it seems that the code was
> > never executed. I place additional DEBUG message in that code path but
> > none appear.
> > This is the variable I was referring to.
> > KRB5_LIB_VARIABLE const char *krb5_config_file =
> > It seems Samba expects the default location for krb5.conf to be located
> > /etc/krb5.conf. However, I couldn't find the location in the code where
> > Samba is looking for /etc/krb5.conf. Another thing that confuses me is
> > does Samba look into /etc/krb5.conf when it was already creating its own
> > krb5.conf file.
> > My goal is to prevent Samba from looking at /etc/krb5.conf to avoid
> > conflicts between Samba and any other applications that would modify
> > /etc/krb5.conf.
> > Could someone point me to the code to do that?
> It's likely the kerberos libraries that are looking in that file.
> Samba really works best if you tell it to use DNS to look up services
> and realms, so an empty krb5.conf file works.
> However, if you need a krb5.conf for another application, is it
> possible to run that application in a jail or container?
> Alternatively, you might have to make the kerberos libraries linked to
> Samba use a different location or not use krb5.conf.
> Richard Sharpe
More information about the samba-technical