Samba and krb5.conf

Richard Sharpe realrichardsharpe at gmail.com
Fri Apr 17 19:37:22 MDT 2015


On Fri, Apr 17, 2015 at 6:20 PM, Richard Sharpe
<realrichardsharpe at gmail.com> wrote:
> On Fri, Apr 17, 2015 at 5:48 PM, Kenny Dinh <kdinh at peaxy.net> wrote:
>> I added
>>    export KRB5_CONFIG=/home/krb5.conf
>>    echo "KRB5_CONFIG is $KRB5_CONFIG"
>>
>> into /etc/init.d/smb, /etc/init.d/winbind as well as /etc/init.d/ctdb.  That
>> fixed my issue.
>>
>> It took me some times to verify that because I forgot to add the EV
>> KRB5_CONFIG to winbind start script, and also forgot to change permission on
>> the /home/krb5.conf file, in the first few times.
>
> OK, that is good. Remember that if you start smbd and winbindd
> manually, this will not be done, so you might want that env variable
> defined in root's bashrc or something, or you might want to create a
> script for restarting samba.

There's one more thing.

You guys use RPMs for packaging, and that script you modified is
installed via RPMs.

You will need to rebuilt the Samba RPM with that script modified.

I left instructions on how to do that. Remember to rev the
extraversion number whenever you rebuild an RPM so you know which RPMs
have which changes etc.

Briefly, find the sources, especially the source to that script file,
then modify the extraversion field in the SPEC file and then rpmbuild
-ba path/to/samba-spec-file

>> Thank you, Richard, and Simo.
>> Your help was much appreciated.
>> ~Kenny
>>
>>
>>
>> On Fri, Apr 17, 2015 at 4:20 PM, Richard Sharpe
>> <realrichardsharpe at gmail.com> wrote:
>>>
>>> On Fri, Apr 17, 2015 at 3:16 PM, Kenny Dinh <kdinh at peaxy.net> wrote:
>>> >
>>> >> Set the environment variable KRB5_CONFIG to another file in the samba
>>> >> unit file/startup script ?
>>> >
>>> > I'm not sure I understood this approach.  Could you help elaborate?  Are
>>> > you
>>> > referring to Samba4/InitScript or the /etc/rc.d/init.d/smb script file?
>>> > My understanding is that smbd is run as a service so all environment
>>> > variables such as KRB5_CONFIG will be discarded.
>>>
>>> Since your environment is CentOS 6.x, you probably want to put
>>> something like the following in the Samba start script for CentOS 6.x:
>>>
>>>    export KRB5_CONFIG=/path/to/empty/krb5.conf
>>>
>>> > On Fri, Apr 17, 2015 at 3:02 PM, Simo <simo at samba.org> wrote:
>>> >>
>>> >> On Fri, 2015-04-17 at 14:16 -0700, Kenny Dinh wrote:
>>> >> > Richard,
>>> >> >
>>> >> > It is possible to run the conflicting application in a container, but
>>> >> > I
>>> >> > cannot prevent future applications.
>>> >> >
>>> >> > I will look into the alternative method, make the kerberos libraries
>>> >> > linked
>>> >> > to Samba use a different location of krb5.conf rather than
>>> >> > /etc/krb5.conf.
>>> >> > I have been looking at the wrong place all this time.
>>> >> >
>>> >> > Thanks for the pointer!
>>> >> > ~Kenny
>>> >>
>>> >> Set the environment variable KRB5_CONFIG to another file in the samba
>>> >> unit file/startup script ?
>>> >>
>>> >> Simo.
>>> >>
>>> >> > On Fri, Apr 17, 2015 at 2:02 PM, Richard Sharpe
>>> >> > <realrichardsharpe at gmail.com
>>> >> > > wrote:
>>> >> >
>>> >> > > On Fri, Apr 17, 2015 at 1:09 PM, Kenny Dinh <kdinh at peaxy.net>
>>> >> > > wrote:
>>> >> > > > Greeting,
>>> >> > > >
>>> >> > > > We are using Samba 4.1.13 on CentOS and was having issue
>>> >> > > > authenticating
>>> >> > > > user that was created in a subdomain.
>>> >> > > >
>>> >> > > > We found out that another application had updated the
>>> >> > > > /etc/krb5.conf
>>> >> > > > to
>>> >> > > > match its need, and Samba was not happy about it.  When we
>>> >> > > > deleted
>>> >> > > > the
>>> >> > > > /etc/krb5.conf, Samba was able to authenticate user from a
>>> >> > > > subdomain
>>> >> > > > (smbclient //localhost/share -U<subdomain>\\<user>%<password>)
>>> >> > > >
>>> >> > > > Note that SAMBA4_USES_HEIMDAL was not defined.
>>> >> > > > This is my smb.conf
>>> >> > > >
>>> >> > > > # net conf list
>>> >> > > > [global]
>>> >> > > > idmap config *:backend = tdb
>>> >> > > > idmap config *:range = 1000000-100000000
>>> >> > > > idmap config *:script = /usr/mydir/bin/idmap
>>> >> > > > workgroup = REPUBLIC
>>> >> > > > realm = REPUBLIC.WINDC
>>> >> > > > security = ads
>>> >> > > > netbios name = testbox1
>>> >> > > > log level = 10
>>> >> > > >
>>> >> > > > [blah]
>>> >> > > > path = /
>>> >> > > > comment = sdakjhkjh
>>> >> > > > guest ok = no
>>> >> > > > read only = no
>>> >> > > > browseable = yes
>>> >> > > >
>>> >> > > > I noticed that the code path went
>>> >> > > > through create_local_private_krb5_conf_for_domain() function and
>>> >> > > > created
>>> >> > > > its own krb5.conf.  Toward the end of the function, the code also
>>> >> > > > set the
>>> >> > > > KRB5_CONFIG environment variable to "
>>> >> > > > /var/lib/samba/smb_krb5/krb5.conf.REPUBLIC"
>>> >> > > >
>>> >> > > > Here's a snippet of the log:
>>> >> > > > /var/log/samba/log.smbd:[2015/04/17 10:19:25.083196,  5,
>>> >> > > > pid=9003,
>>> >> > > > effective(0, 0), real(0, 0)]
>>> >> > > >
>>> >> > >
>>> >> > >
>>> >> > > ../source3/libads/kerberos.c:925(create_local_private_krb5_conf_for_domain)
>>> >> > > > /var/log/samba/log.smbd:
>>> >> > > > create_local_private_krb5_conf_for_domain:
>>> >> > > wrote
>>> >> > > > file /var/lib/samba/smb_krb5/krb5.conf.REPUBLIC with realm
>>> >> > > > REPUBLIC.WINDC
>>> >> > > > KDC list = kdc = 10.0.3.1
>>> >> > > >
>>> >> > > > I searched through samba code for krb5.conf and found that
>>> >> > > > "krb5_config_file" in source4\heimdal\lib\krb5\constants.c seems
>>> >> > > > to
>>> >> > > > be
>>> >> > > the
>>> >> > > > only place that make use of krb5.conf files location.  Also the
>>> >> > > > function
>>> >> > > > where "krb5_config_file" is used in krb5_init_context() defined
>>> >> > > > in
>>> >> > > > source4\heimdal\lib\krb5\context.c.  However, it seems that the
>>> >> > > > code
>>> >> > > > was
>>> >> > > > never executed.  I place additional DEBUG message in that code
>>> >> > > > path
>>> >> > > > but
>>> >> > > > none appear.
>>> >> > > >
>>> >> > > > This is the variable I was referring to.
>>> >> > > > KRB5_LIB_VARIABLE const char *krb5_config_file =
>>> >> > > >
>>> >> > > > It seems Samba expects the default location for krb5.conf to be
>>> >> > > > located
>>> >> > > at
>>> >> > > > /etc/krb5.conf.  However, I couldn't find the location in the
>>> >> > > > code
>>> >> > > > where
>>> >> > > > Samba is looking for /etc/krb5.conf.  Another thing that confuses
>>> >> > > > me
>>> >> > > > is
>>> >> > > why
>>> >> > > > does Samba look into /etc/krb5.conf when it was already creating
>>> >> > > > its
>>> >> > > > own
>>> >> > > > krb5.conf file.
>>> >> > > >
>>> >> > > > My goal is to prevent Samba from looking at /etc/krb5.conf to
>>> >> > > > avoid
>>> >> > > > conflicts between Samba and any other applications that would
>>> >> > > > modify
>>> >> > > > /etc/krb5.conf.
>>> >> > > >
>>> >> > > > Could someone point me to the code to do that?
>>> >> > >
>>> >> > > It's likely the kerberos libraries that are looking in that file.
>>> >> > > Samba really works best if you tell it to use DNS to look up
>>> >> > > services
>>> >> > > and realms, so an empty krb5.conf file works.
>>> >> > >
>>> >> > > However, if you need a krb5.conf for another application, is it
>>> >> > > possible to run that application in a jail or container?
>>> >> > >
>>> >> > > Alternatively, you might have to make the kerberos libraries linked
>>> >> > > to
>>> >> > > Samba use a different location or not use krb5.conf.



-- 
Regards,
Richard Sharpe
(何以解憂?唯有杜康。--曹操)


More information about the samba-technical mailing list