Samba and krb5.conf

Fri Apr 17 19:42:03 MDT 2015

Yes, that is exactly what I will do.

On Fri, Apr 17, 2015 at 6:37 PM, Richard Sharpe <realrichardsharpe at gmail.com
> wrote:

> On Fri, Apr 17, 2015 at 6:20 PM, Richard Sharpe
> <realrichardsharpe at gmail.com> wrote:
> > On Fri, Apr 17, 2015 at 5:48 PM, Kenny Dinh <kdinh at peaxy.net> wrote:
> >> I added
> >>    export KRB5_CONFIG=/home/krb5.conf
> >>    echo "KRB5_CONFIG is $KRB5_CONFIG"
> >>
> >> into /etc/init.d/smb, /etc/init.d/winbind as well as /etc/init.d/ctdb.
> That
> >> fixed my issue.
> >>
> >> It took me some times to verify that because I forgot to add the EV
> >> KRB5_CONFIG to winbind start script, and also forgot to change
> permission on
> >> the /home/krb5.conf file, in the first few times.
> >
> > OK, that is good. Remember that if you start smbd and winbindd
> > manually, this will not be done, so you might want that env variable
> > defined in root's bashrc or something, or you might want to create a
> > script for restarting samba.
>
> There's one more thing.
>
> You guys use RPMs for packaging, and that script you modified is
> installed via RPMs.
>
> You will need to rebuilt the Samba RPM with that script modified.
>
> I left instructions on how to do that. Remember to rev the
> extraversion number whenever you rebuild an RPM so you know which RPMs
> have which changes etc.
>
> Briefly, find the sources, especially the source to that script file,
> then modify the extraversion field in the SPEC file and then rpmbuild
> -ba path/to/samba-spec-file
>
> >> Thank you, Richard, and Simo.
> >> Your help was much appreciated.
> >> ~Kenny
> >>
> >>
> >>
> >> On Fri, Apr 17, 2015 at 4:20 PM, Richard Sharpe
> >> <realrichardsharpe at gmail.com> wrote:
> >>>
> >>> On Fri, Apr 17, 2015 at 3:16 PM, Kenny Dinh <kdinh at peaxy.net> wrote:
> >>> >
> >>> >> Set the environment variable KRB5_CONFIG to another file in the
> samba
> >>> >> unit file/startup script ?
> >>> >
> >>> > I'm not sure I understood this approach.  Could you help elaborate?
> Are
> >>> > you
> >>> > referring to Samba4/InitScript or the /etc/rc.d/init.d/smb script
> file?
> >>> > My understanding is that smbd is run as a service so all environment
> >>> > variables such as KRB5_CONFIG will be discarded.
> >>>
> >>> Since your environment is CentOS 6.x, you probably want to put
> >>> something like the following in the Samba start script for CentOS 6.x:
> >>>
> >>>    export KRB5_CONFIG=/path/to/empty/krb5.conf
> >>>
> >>> > On Fri, Apr 17, 2015 at 3:02 PM, Simo <simo at samba.org> wrote:
> >>> >>
> >>> >> On Fri, 2015-04-17 at 14:16 -0700, Kenny Dinh wrote:
> >>> >> > Richard,
> >>> >> >
> >>> >> > It is possible to run the conflicting application in a container,
> but
> >>> >> > I
> >>> >> > cannot prevent future applications.
> >>> >> >
> >>> >> > I will look into the alternative method, make the kerberos
> libraries
> >>> >> > linked
> >>> >> > to Samba use a different location of krb5.conf rather than
> >>> >> > /etc/krb5.conf.
> >>> >> > I have been looking at the wrong place all this time.
> >>> >> >
> >>> >> > Thanks for the pointer!
> >>> >> > ~Kenny
> >>> >>
> >>> >> Set the environment variable KRB5_CONFIG to another file in the
> samba
> >>> >> unit file/startup script ?
> >>> >>
> >>> >> Simo.
> >>> >>
> >>> >> > On Fri, Apr 17, 2015 at 2:02 PM, Richard Sharpe
> >>> >> > <realrichardsharpe at gmail.com
> >>> >> > > wrote:
> >>> >> >
> >>> >> > > On Fri, Apr 17, 2015 at 1:09 PM, Kenny Dinh <kdinh at peaxy.net>
> >>> >> > > wrote:
> >>> >> > > > Greeting,
> >>> >> > > >
> >>> >> > > > We are using Samba 4.1.13 on CentOS and was having issue
> >>> >> > > > authenticating
> >>> >> > > > user that was created in a subdomain.
> >>> >> > > >
> >>> >> > > > We found out that another application had updated the
> >>> >> > > > /etc/krb5.conf
> >>> >> > > > to
> >>> >> > > > match its need, and Samba was not happy about it.  When we
> >>> >> > > > deleted
> >>> >> > > > the
> >>> >> > > > /etc/krb5.conf, Samba was able to authenticate user from a
> >>> >> > > > subdomain
> >>> >> > > > (smbclient //localhost/share -U<subdomain>\\<user>%<password>)
> >>> >> > > >
> >>> >> > > > Note that SAMBA4_USES_HEIMDAL was not defined.
> >>> >> > > > This is my smb.conf
> >>> >> > > >
> >>> >> > > > # net conf list
> >>> >> > > > [global]
> >>> >> > > > idmap config *:backend = tdb
> >>> >> > > > idmap config *:range = 1000000-100000000
> >>> >> > > > idmap config *:script = /usr/mydir/bin/idmap
> >>> >> > > > workgroup = REPUBLIC
> >>> >> > > > realm = REPUBLIC.WINDC
> >>> >> > > > security = ads
> >>> >> > > > netbios name = testbox1
> >>> >> > > > log level = 10
> >>> >> > > >
> >>> >> > > > [blah]
> >>> >> > > > path = /
> >>> >> > > > comment = sdakjhkjh
> >>> >> > > > guest ok = no
> >>> >> > > > read only = no
> >>> >> > > > browseable = yes
> >>> >> > > >
> >>> >> > > > I noticed that the code path went
> >>> >> > > > through create_local_private_krb5_conf_for_domain() function
> and
> >>> >> > > > created
> >>> >> > > > its own krb5.conf.  Toward the end of the function, the code
> also
> >>> >> > > > set the
> >>> >> > > > KRB5_CONFIG environment variable to "
> >>> >> > > > /var/lib/samba/smb_krb5/krb5.conf.REPUBLIC"
> >>> >> > > >
> >>> >> > > > Here's a snippet of the log:
> >>> >> > > > /var/log/samba/log.smbd:[2015/04/17 10:19:25.083196,  5,
> >>> >> > > > pid=9003,
> >>> >> > > > effective(0, 0), real(0, 0)]
> >>> >> > > >
> >>> >> > >
> >>> >> > >
> >>> >> > >
> ../source3/libads/kerberos.c:925(create_local_private_krb5_conf_for_domain)
> >>> >> > > > /var/log/samba/log.smbd:
> >>> >> > > > create_local_private_krb5_conf_for_domain:
> >>> >> > > wrote
> >>> >> > > > file /var/lib/samba/smb_krb5/krb5.conf.REPUBLIC with realm
> >>> >> > > > REPUBLIC.WINDC
> >>> >> > > > KDC list = kdc = 10.0.3.1
> >>> >> > > >
> >>> >> > > > I searched through samba code for krb5.conf and found that
> >>> >> > > > "krb5_config_file" in source4\heimdal\lib\krb5\constants.c
> seems
> >>> >> > > > to
> >>> >> > > > be
> >>> >> > > the
> >>> >> > > > only place that make use of krb5.conf files location.  Also
> the
> >>> >> > > > function
> >>> >> > > > where "krb5_config_file" is used in krb5_init_context()
> defined
> >>> >> > > > in
> >>> >> > > > source4\heimdal\lib\krb5\context.c.  However, it seems that
> the
> >>> >> > > > code
> >>> >> > > > was
> >>> >> > > > never executed.  I place additional DEBUG message in that code
> >>> >> > > > path
> >>> >> > > > but
> >>> >> > > > none appear.
> >>> >> > > >
> >>> >> > > > This is the variable I was referring to.
> >>> >> > > > KRB5_LIB_VARIABLE const char *krb5_config_file =
> >>> >> > > >
> >>> >> > > > It seems Samba expects the default location for krb5.conf to
> be
> >>> >> > > > located
> >>> >> > > at
> >>> >> > > > /etc/krb5.conf.  However, I couldn't find the location in the
> >>> >> > > > code
> >>> >> > > > where
> >>> >> > > > Samba is looking for /etc/krb5.conf.  Another thing that
> confuses
> >>> >> > > > me
> >>> >> > > > is
> >>> >> > > why
> >>> >> > > > does Samba look into /etc/krb5.conf when it was already
> creating
> >>> >> > > > its
> >>> >> > > > own
> >>> >> > > > krb5.conf file.
> >>> >> > > >
> >>> >> > > > My goal is to prevent Samba from looking at /etc/krb5.conf to
> >>> >> > > > avoid
> >>> >> > > > conflicts between Samba and any other applications that would
> >>> >> > > > modify
> >>> >> > > > /etc/krb5.conf.
> >>> >> > > >
> >>> >> > > > Could someone point me to the code to do that?
> >>> >> > >
> >>> >> > > It's likely the kerberos libraries that are looking in that
> file.
> >>> >> > > Samba really works best if you tell it to use DNS to look up
> >>> >> > > services
> >>> >> > > and realms, so an empty krb5.conf file works.
> >>> >> > >
> >>> >> > > However, if you need a krb5.conf for another application, is it
> >>> >> > > possible to run that application in a jail or container?
> >>> >> > >
> >>> >> > > Alternatively, you might have to make the kerberos libraries
> linked
> >>> >> > > to
> >>> >> > > Samba use a different location or not use krb5.conf.
>
>
>
> --
> Regards,
> Richard Sharpe
> (何以解憂？唯有杜康。--曹操)
>