Samba and krb5.conf
Kenny Dinh
kdinh at peaxy.net
Fri Apr 17 19:33:14 MDT 2015
I will keep that in mind.
Thanks again for the tip, Richard.
On Fri, Apr 17, 2015 at 6:20 PM, Richard Sharpe <realrichardsharpe at gmail.com
> wrote:
> On Fri, Apr 17, 2015 at 5:48 PM, Kenny Dinh <kdinh at peaxy.net> wrote:
> > I added
> > export KRB5_CONFIG=/home/krb5.conf
> > echo "KRB5_CONFIG is $KRB5_CONFIG"
> >
> > into /etc/init.d/smb, /etc/init.d/winbind as well as /etc/init.d/ctdb.
> That
> > fixed my issue.
> >
> > It took me some times to verify that because I forgot to add the EV
> > KRB5_CONFIG to winbind start script, and also forgot to change
> permission on
> > the /home/krb5.conf file, in the first few times.
>
> OK, that is good. Remember that if you start smbd and winbindd
> manually, this will not be done, so you might want that env variable
> defined in root's bashrc or something, or you might want to create a
> script for restarting samba.
>
> > Thank you, Richard, and Simo.
> > Your help was much appreciated.
> > ~Kenny
> >
> >
> >
> > On Fri, Apr 17, 2015 at 4:20 PM, Richard Sharpe
> > <realrichardsharpe at gmail.com> wrote:
> >>
> >> On Fri, Apr 17, 2015 at 3:16 PM, Kenny Dinh <kdinh at peaxy.net> wrote:
> >> >
> >> >> Set the environment variable KRB5_CONFIG to another file in the samba
> >> >> unit file/startup script ?
> >> >
> >> > I'm not sure I understood this approach. Could you help elaborate?
> Are
> >> > you
> >> > referring to Samba4/InitScript or the /etc/rc.d/init.d/smb script
> file?
> >> > My understanding is that smbd is run as a service so all environment
> >> > variables such as KRB5_CONFIG will be discarded.
> >>
> >> Since your environment is CentOS 6.x, you probably want to put
> >> something like the following in the Samba start script for CentOS 6.x:
> >>
> >> export KRB5_CONFIG=/path/to/empty/krb5.conf
> >>
> >> > On Fri, Apr 17, 2015 at 3:02 PM, Simo <simo at samba.org> wrote:
> >> >>
> >> >> On Fri, 2015-04-17 at 14:16 -0700, Kenny Dinh wrote:
> >> >> > Richard,
> >> >> >
> >> >> > It is possible to run the conflicting application in a container,
> but
> >> >> > I
> >> >> > cannot prevent future applications.
> >> >> >
> >> >> > I will look into the alternative method, make the kerberos
> libraries
> >> >> > linked
> >> >> > to Samba use a different location of krb5.conf rather than
> >> >> > /etc/krb5.conf.
> >> >> > I have been looking at the wrong place all this time.
> >> >> >
> >> >> > Thanks for the pointer!
> >> >> > ~Kenny
> >> >>
> >> >> Set the environment variable KRB5_CONFIG to another file in the samba
> >> >> unit file/startup script ?
> >> >>
> >> >> Simo.
> >> >>
> >> >> > On Fri, Apr 17, 2015 at 2:02 PM, Richard Sharpe
> >> >> > <realrichardsharpe at gmail.com
> >> >> > > wrote:
> >> >> >
> >> >> > > On Fri, Apr 17, 2015 at 1:09 PM, Kenny Dinh <kdinh at peaxy.net>
> >> >> > > wrote:
> >> >> > > > Greeting,
> >> >> > > >
> >> >> > > > We are using Samba 4.1.13 on CentOS and was having issue
> >> >> > > > authenticating
> >> >> > > > user that was created in a subdomain.
> >> >> > > >
> >> >> > > > We found out that another application had updated the
> >> >> > > > /etc/krb5.conf
> >> >> > > > to
> >> >> > > > match its need, and Samba was not happy about it. When we
> >> >> > > > deleted
> >> >> > > > the
> >> >> > > > /etc/krb5.conf, Samba was able to authenticate user from a
> >> >> > > > subdomain
> >> >> > > > (smbclient //localhost/share -U<subdomain>\\<user>%<password>)
> >> >> > > >
> >> >> > > > Note that SAMBA4_USES_HEIMDAL was not defined.
> >> >> > > > This is my smb.conf
> >> >> > > >
> >> >> > > > # net conf list
> >> >> > > > [global]
> >> >> > > > idmap config *:backend = tdb
> >> >> > > > idmap config *:range = 1000000-100000000
> >> >> > > > idmap config *:script = /usr/mydir/bin/idmap
> >> >> > > > workgroup = REPUBLIC
> >> >> > > > realm = REPUBLIC.WINDC
> >> >> > > > security = ads
> >> >> > > > netbios name = testbox1
> >> >> > > > log level = 10
> >> >> > > >
> >> >> > > > [blah]
> >> >> > > > path = /
> >> >> > > > comment = sdakjhkjh
> >> >> > > > guest ok = no
> >> >> > > > read only = no
> >> >> > > > browseable = yes
> >> >> > > >
> >> >> > > > I noticed that the code path went
> >> >> > > > through create_local_private_krb5_conf_for_domain() function
> and
> >> >> > > > created
> >> >> > > > its own krb5.conf. Toward the end of the function, the code
> also
> >> >> > > > set the
> >> >> > > > KRB5_CONFIG environment variable to "
> >> >> > > > /var/lib/samba/smb_krb5/krb5.conf.REPUBLIC"
> >> >> > > >
> >> >> > > > Here's a snippet of the log:
> >> >> > > > /var/log/samba/log.smbd:[2015/04/17 10:19:25.083196, 5,
> >> >> > > > pid=9003,
> >> >> > > > effective(0, 0), real(0, 0)]
> >> >> > > >
> >> >> > >
> >> >> > >
> >> >> > >
> ../source3/libads/kerberos.c:925(create_local_private_krb5_conf_for_domain)
> >> >> > > > /var/log/samba/log.smbd:
> >> >> > > > create_local_private_krb5_conf_for_domain:
> >> >> > > wrote
> >> >> > > > file /var/lib/samba/smb_krb5/krb5.conf.REPUBLIC with realm
> >> >> > > > REPUBLIC.WINDC
> >> >> > > > KDC list = kdc = 10.0.3.1
> >> >> > > >
> >> >> > > > I searched through samba code for krb5.conf and found that
> >> >> > > > "krb5_config_file" in source4\heimdal\lib\krb5\constants.c
> seems
> >> >> > > > to
> >> >> > > > be
> >> >> > > the
> >> >> > > > only place that make use of krb5.conf files location. Also the
> >> >> > > > function
> >> >> > > > where "krb5_config_file" is used in krb5_init_context() defined
> >> >> > > > in
> >> >> > > > source4\heimdal\lib\krb5\context.c. However, it seems that the
> >> >> > > > code
> >> >> > > > was
> >> >> > > > never executed. I place additional DEBUG message in that code
> >> >> > > > path
> >> >> > > > but
> >> >> > > > none appear.
> >> >> > > >
> >> >> > > > This is the variable I was referring to.
> >> >> > > > KRB5_LIB_VARIABLE const char *krb5_config_file =
> >> >> > > >
> >> >> > > > It seems Samba expects the default location for krb5.conf to be
> >> >> > > > located
> >> >> > > at
> >> >> > > > /etc/krb5.conf. However, I couldn't find the location in the
> >> >> > > > code
> >> >> > > > where
> >> >> > > > Samba is looking for /etc/krb5.conf. Another thing that
> confuses
> >> >> > > > me
> >> >> > > > is
> >> >> > > why
> >> >> > > > does Samba look into /etc/krb5.conf when it was already
> creating
> >> >> > > > its
> >> >> > > > own
> >> >> > > > krb5.conf file.
> >> >> > > >
> >> >> > > > My goal is to prevent Samba from looking at /etc/krb5.conf to
> >> >> > > > avoid
> >> >> > > > conflicts between Samba and any other applications that would
> >> >> > > > modify
> >> >> > > > /etc/krb5.conf.
> >> >> > > >
> >> >> > > > Could someone point me to the code to do that?
> >> >> > >
> >> >> > > It's likely the kerberos libraries that are looking in that file.
> >> >> > > Samba really works best if you tell it to use DNS to look up
> >> >> > > services
> >> >> > > and realms, so an empty krb5.conf file works.
> >> >> > >
> >> >> > > However, if you need a krb5.conf for another application, is it
> >> >> > > possible to run that application in a jail or container?
> >> >> > >
> >> >> > > Alternatively, you might have to make the kerberos libraries
> linked
> >> >> > > to
> >> >> > > Samba use a different location or not use krb5.conf.
> >> >> > >
> >> >> > > --
> >> >> > > Regards,
> >> >> > > Richard Sharpe
> >> >> > > (何以解憂?唯有杜康。--曹操)
> >> >> > >
> >> >>
> >> >>
> >> >> --
> >> >> Simo Sorce
> >> >>
> >> >
> >>
> >>
> >>
> >> --
> >> Regards,
> >> Richard Sharpe
> >> (何以解憂?唯有杜康。--曹操)
> >
> >
>
>
>
> --
> Regards,
> Richard Sharpe
> (何以解憂?唯有杜康。--曹操)
>
More information about the samba-technical
mailing list