Samba and krb5.conf

Richard Sharpe realrichardsharpe at gmail.com
Fri Apr 17 17:20:30 MDT 2015 

On Fri, Apr 17, 2015 at 3:16 PM, Kenny Dinh <kdinh at peaxy.net> wrote:
>
>> Set the environment variable KRB5_CONFIG to another file in the samba
>> unit file/startup script ?
>
> I'm not sure I understood this approach.  Could you help elaborate?  Are you
> referring to Samba4/InitScript or the /etc/rc.d/init.d/smb script file?
> My understanding is that smbd is run as a service so all environment
> variables such as KRB5_CONFIG will be discarded.

Since your environment is CentOS 6.x, you probably want to put
something like the following in the Samba start script for CentOS 6.x:

   export KRB5_CONFIG=/path/to/empty/krb5.conf

> On Fri, Apr 17, 2015 at 3:02 PM, Simo <simo at samba.org> wrote:
>>
>> On Fri, 2015-04-17 at 14:16 -0700, Kenny Dinh wrote:
>> > Richard,
>> >
>> > It is possible to run the conflicting application in a container, but I
>> > cannot prevent future applications.
>> >
>> > I will look into the alternative method, make the kerberos libraries
>> > linked
>> > to Samba use a different location of krb5.conf rather than
>> > /etc/krb5.conf.
>> > I have been looking at the wrong place all this time.
>> >
>> > Thanks for the pointer!
>> > ~Kenny
>>
>> Set the environment variable KRB5_CONFIG to another file in the samba
>> unit file/startup script ?
>>
>> Simo.
>>
>> > On Fri, Apr 17, 2015 at 2:02 PM, Richard Sharpe
>> > <realrichardsharpe at gmail.com
>> > > wrote:
>> >
>> > > On Fri, Apr 17, 2015 at 1:09 PM, Kenny Dinh <kdinh at peaxy.net> wrote:
>> > > > Greeting,
>> > > >
>> > > > We are using Samba 4.1.13 on CentOS and was having issue
>> > > > authenticating
>> > > > user that was created in a subdomain.
>> > > >
>> > > > We found out that another application had updated the /etc/krb5.conf
>> > > > to
>> > > > match its need, and Samba was not happy about it.  When we deleted
>> > > > the
>> > > > /etc/krb5.conf, Samba was able to authenticate user from a subdomain
>> > > > (smbclient //localhost/share -U<subdomain>\\<user>%<password>)
>> > > >
>> > > > Note that SAMBA4_USES_HEIMDAL was not defined.
>> > > > This is my smb.conf
>> > > >
>> > > > # net conf list
>> > > > [global]
>> > > > idmap config *:backend = tdb
>> > > > idmap config *:range = 1000000-100000000
>> > > > idmap config *:script = /usr/mydir/bin/idmap
>> > > > workgroup = REPUBLIC
>> > > > realm = REPUBLIC.WINDC
>> > > > security = ads
>> > > > netbios name = testbox1
>> > > > log level = 10
>> > > >
>> > > > [blah]
>> > > > path = /
>> > > > comment = sdakjhkjh
>> > > > guest ok = no
>> > > > read only = no
>> > > > browseable = yes
>> > > >
>> > > > I noticed that the code path went
>> > > > through create_local_private_krb5_conf_for_domain() function and
>> > > > created
>> > > > its own krb5.conf.  Toward the end of the function, the code also
>> > > > set the
>> > > > KRB5_CONFIG environment variable to "
>> > > > /var/lib/samba/smb_krb5/krb5.conf.REPUBLIC"
>> > > >
>> > > > Here's a snippet of the log:
>> > > > /var/log/samba/log.smbd:[2015/04/17 10:19:25.083196,  5, pid=9003,
>> > > > effective(0, 0), real(0, 0)]
>> > > >
>> > >
>> > > ../source3/libads/kerberos.c:925(create_local_private_krb5_conf_for_domain)
>> > > > /var/log/samba/log.smbd:  create_local_private_krb5_conf_for_domain:
>> > > wrote
>> > > > file /var/lib/samba/smb_krb5/krb5.conf.REPUBLIC with realm
>> > > > REPUBLIC.WINDC
>> > > > KDC list = kdc = 10.0.3.1
>> > > >
>> > > > I searched through samba code for krb5.conf and found that
>> > > > "krb5_config_file" in source4\heimdal\lib\krb5\constants.c seems to
>> > > > be
>> > > the
>> > > > only place that make use of krb5.conf files location.  Also the
>> > > > function
>> > > > where "krb5_config_file" is used in krb5_init_context() defined in
>> > > > source4\heimdal\lib\krb5\context.c.  However, it seems that the code
>> > > > was
>> > > > never executed.  I place additional DEBUG message in that code path
>> > > > but
>> > > > none appear.
>> > > >
>> > > > This is the variable I was referring to.
>> > > > KRB5_LIB_VARIABLE const char *krb5_config_file =
>> > > >
>> > > > It seems Samba expects the default location for krb5.conf to be
>> > > > located
>> > > at
>> > > > /etc/krb5.conf.  However, I couldn't find the location in the code
>> > > > where
>> > > > Samba is looking for /etc/krb5.conf.  Another thing that confuses me
>> > > > is
>> > > why
>> > > > does Samba look into /etc/krb5.conf when it was already creating its
>> > > > own
>> > > > krb5.conf file.
>> > > >
>> > > > My goal is to prevent Samba from looking at /etc/krb5.conf to avoid
>> > > > conflicts between Samba and any other applications that would modify
>> > > > /etc/krb5.conf.
>> > > >
>> > > > Could someone point me to the code to do that?
>> > >
>> > > It's likely the kerberos libraries that are looking in that file.
>> > > Samba really works best if you tell it to use DNS to look up services
>> > > and realms, so an empty krb5.conf file works.
>> > >
>> > > However, if you need a krb5.conf for another application, is it
>> > > possible to run that application in a jail or container?
>> > >
>> > > Alternatively, you might have to make the kerberos libraries linked to
>> > > Samba use a different location or not use krb5.conf.
>> > >
>> > > --
>> > > Regards,
>> > > Richard Sharpe
>> > > (何以解憂?唯有杜康。--曹操)
>> > >
>>
>>
>> --
>> Simo Sorce
>>
>



-- 
Regards,
Richard Sharpe
(何以解憂?唯有杜康。--曹操)

More information about the samba-technical mailing list