Samba and krb5.conf
Simo
simo at samba.org
Sat Apr 18 12:16:02 MDT 2015
On Fri, 2015-04-17 at 18:42 -0700, Kenny Dinh wrote:
> Yes, that is exactly what I will do.
No, don't rebuild anything, it's completely unnecessary.
The correct way to set local configuration variables for init scripts on
RHEL-like systems is to set them in /etc/sysconfig/samba which is
sourced by the init script (or the unit files on RHEL7 where systemd is
used).
The sysconfig file will not be touched on updates and your env vars
settings will be preserved.
Simo.
> On Fri, Apr 17, 2015 at 6:37 PM, Richard Sharpe
> <realrichardsharpe at gmail.com> wrote:
> On Fri, Apr 17, 2015 at 6:20 PM, Richard Sharpe
> <realrichardsharpe at gmail.com> wrote:
> > On Fri, Apr 17, 2015 at 5:48 PM, Kenny Dinh
> <kdinh at peaxy.net> wrote:
> >> I added
> >> export KRB5_CONFIG=/home/krb5.conf
> >> echo "KRB5_CONFIG is $KRB5_CONFIG"
> >>
> >> into /etc/init.d/smb, /etc/init.d/winbind as well
> as /etc/init.d/ctdb. That
> >> fixed my issue.
> >>
> >> It took me some times to verify that because I forgot to
> add the EV
> >> KRB5_CONFIG to winbind start script, and also forgot to
> change permission on
> >> the /home/krb5.conf file, in the first few times.
> >
> > OK, that is good. Remember that if you start smbd and
> winbindd
> > manually, this will not be done, so you might want that env
> variable
> > defined in root's bashrc or something, or you might want to
> create a
> > script for restarting samba.
>
> There's one more thing.
>
> You guys use RPMs for packaging, and that script you modified
> is
> installed via RPMs.
>
> You will need to rebuilt the Samba RPM with that script
> modified.
>
> I left instructions on how to do that. Remember to rev the
> extraversion number whenever you rebuild an RPM so you know
> which RPMs
> have which changes etc.
>
> Briefly, find the sources, especially the source to that
> script file,
> then modify the extraversion field in the SPEC file and then
> rpmbuild
> -ba path/to/samba-spec-file
>
> >> Thank you, Richard, and Simo.
> >> Your help was much appreciated.
> >> ~Kenny
> >>
> >>
> >>
> >> On Fri, Apr 17, 2015 at 4:20 PM, Richard Sharpe
> >> <realrichardsharpe at gmail.com> wrote:
> >>>
> >>> On Fri, Apr 17, 2015 at 3:16 PM, Kenny Dinh
> <kdinh at peaxy.net> wrote:
> >>> >
> >>> >> Set the environment variable KRB5_CONFIG to another
> file in the samba
> >>> >> unit file/startup script ?
> >>> >
> >>> > I'm not sure I understood this approach. Could you help
> elaborate? Are
> >>> > you
> >>> > referring to Samba4/InitScript or
> the /etc/rc.d/init.d/smb script file?
> >>> > My understanding is that smbd is run as a service so all
> environment
> >>> > variables such as KRB5_CONFIG will be discarded.
> >>>
> >>> Since your environment is CentOS 6.x, you probably want to
> put
> >>> something like the following in the Samba start script for
> CentOS 6.x:
> >>>
> >>> export KRB5_CONFIG=/path/to/empty/krb5.conf
> >>>
> >>> > On Fri, Apr 17, 2015 at 3:02 PM, Simo <simo at samba.org>
> wrote:
> >>> >>
> >>> >> On Fri, 2015-04-17 at 14:16 -0700, Kenny Dinh wrote:
> >>> >> > Richard,
> >>> >> >
> >>> >> > It is possible to run the conflicting application in
> a container, but
> >>> >> > I
> >>> >> > cannot prevent future applications.
> >>> >> >
> >>> >> > I will look into the alternative method, make the
> kerberos libraries
> >>> >> > linked
> >>> >> > to Samba use a different location of krb5.conf rather
> than
> >>> >> > /etc/krb5.conf.
> >>> >> > I have been looking at the wrong place all this time.
> >>> >> >
> >>> >> > Thanks for the pointer!
> >>> >> > ~Kenny
> >>> >>
> >>> >> Set the environment variable KRB5_CONFIG to another
> file in the samba
> >>> >> unit file/startup script ?
> >>> >>
> >>> >> Simo.
> >>> >>
> >>> >> > On Fri, Apr 17, 2015 at 2:02 PM, Richard Sharpe
> >>> >> > <realrichardsharpe at gmail.com
> >>> >> > > wrote:
> >>> >> >
> >>> >> > > On Fri, Apr 17, 2015 at 1:09 PM, Kenny Dinh
> <kdinh at peaxy.net>
> >>> >> > > wrote:
> >>> >> > > > Greeting,
> >>> >> > > >
> >>> >> > > > We are using Samba 4.1.13 on CentOS and was
> having issue
> >>> >> > > > authenticating
> >>> >> > > > user that was created in a subdomain.
> >>> >> > > >
> >>> >> > > > We found out that another application had updated
> the
> >>> >> > > > /etc/krb5.conf
> >>> >> > > > to
> >>> >> > > > match its need, and Samba was not happy about it.
> When we
> >>> >> > > > deleted
> >>> >> > > > the
> >>> >> > > > /etc/krb5.conf, Samba was able to authenticate
> user from a
> >>> >> > > > subdomain
> >>> >> > > > (smbclient //localhost/share -U<subdomain>\
> \<user>%<password>)
> >>> >> > > >
> >>> >> > > > Note that SAMBA4_USES_HEIMDAL was not defined.
> >>> >> > > > This is my smb.conf
> >>> >> > > >
> >>> >> > > > # net conf list
> >>> >> > > > [global]
> >>> >> > > > idmap config *:backend = tdb
> >>> >> > > > idmap config *:range = 1000000-100000000
> >>> >> > > > idmap config *:script = /usr/mydir/bin/idmap
> >>> >> > > > workgroup = REPUBLIC
> >>> >> > > > realm = REPUBLIC.WINDC
> >>> >> > > > security = ads
> >>> >> > > > netbios name = testbox1
> >>> >> > > > log level = 10
> >>> >> > > >
> >>> >> > > > [blah]
> >>> >> > > > path = /
> >>> >> > > > comment = sdakjhkjh
> >>> >> > > > guest ok = no
> >>> >> > > > read only = no
> >>> >> > > > browseable = yes
> >>> >> > > >
> >>> >> > > > I noticed that the code path went
> >>> >> > > > through
> create_local_private_krb5_conf_for_domain() function and
> >>> >> > > > created
> >>> >> > > > its own krb5.conf. Toward the end of the
> function, the code also
> >>> >> > > > set the
> >>> >> > > > KRB5_CONFIG environment variable to "
> >>> >> > > > /var/lib/samba/smb_krb5/krb5.conf.REPUBLIC"
> >>> >> > > >
> >>> >> > > > Here's a snippet of the log:
> >>> >> > > > /var/log/samba/log.smbd:[2015/04/17
> 10:19:25.083196, 5,
> >>> >> > > > pid=9003,
> >>> >> > > > effective(0, 0), real(0, 0)]
> >>> >> > > >
> >>> >> > >
> >>> >> > >
> >>> >> >
> > ../source3/libads/kerberos.c:925(create_local_private_krb5_conf_for_domain)
> >>> >> > > > /var/log/samba/log.smbd:
> >>> >> > > > create_local_private_krb5_conf_for_domain:
> >>> >> > > wrote
> >>> >> > > > file /var/lib/samba/smb_krb5/krb5.conf.REPUBLIC
> with realm
> >>> >> > > > REPUBLIC.WINDC
> >>> >> > > > KDC list = kdc = 10.0.3.1
> >>> >> > > >
> >>> >> > > > I searched through samba code for krb5.conf and
> found that
> >>> >> > > > "krb5_config_file" in source4\heimdal\lib\krb5
> \constants.c seems
> >>> >> > > > to
> >>> >> > > > be
> >>> >> > > the
> >>> >> > > > only place that make use of krb5.conf files
> location. Also the
> >>> >> > > > function
> >>> >> > > > where "krb5_config_file" is used in
> krb5_init_context() defined
> >>> >> > > > in
> >>> >> > > > source4\heimdal\lib\krb5\context.c. However, it
> seems that the
> >>> >> > > > code
> >>> >> > > > was
> >>> >> > > > never executed. I place additional DEBUG message
> in that code
> >>> >> > > > path
> >>> >> > > > but
> >>> >> > > > none appear.
> >>> >> > > >
> >>> >> > > > This is the variable I was referring to.
> >>> >> > > > KRB5_LIB_VARIABLE const char *krb5_config_file =
> >>> >> > > >
> >>> >> > > > It seems Samba expects the default location for
> krb5.conf to be
> >>> >> > > > located
> >>> >> > > at
> >>> >> > > > /etc/krb5.conf. However, I couldn't find the
> location in the
> >>> >> > > > code
> >>> >> > > > where
> >>> >> > > > Samba is looking for /etc/krb5.conf. Another
> thing that confuses
> >>> >> > > > me
> >>> >> > > > is
> >>> >> > > why
> >>> >> > > > does Samba look into /etc/krb5.conf when it was
> already creating
> >>> >> > > > its
> >>> >> > > > own
> >>> >> > > > krb5.conf file.
> >>> >> > > >
> >>> >> > > > My goal is to prevent Samba from looking
> at /etc/krb5.conf to
> >>> >> > > > avoid
> >>> >> > > > conflicts between Samba and any other
> applications that would
> >>> >> > > > modify
> >>> >> > > > /etc/krb5.conf.
> >>> >> > > >
> >>> >> > > > Could someone point me to the code to do that?
> >>> >> > >
> >>> >> > > It's likely the kerberos libraries that are looking
> in that file.
> >>> >> > > Samba really works best if you tell it to use DNS
> to look up
> >>> >> > > services
> >>> >> > > and realms, so an empty krb5.conf file works.
> >>> >> > >
> >>> >> > > However, if you need a krb5.conf for another
> application, is it
> >>> >> > > possible to run that application in a jail or
> container?
> >>> >> > >
> >>> >> > > Alternatively, you might have to make the kerberos
> libraries linked
> >>> >> > > to
> >>> >> > > Samba use a different location or not use
> krb5.conf.
>
>
>
> --
> Regards,
> Richard Sharpe
> (何以解憂?唯有杜康。--曹操)
>
>
>
--
Simo Sorce
More information about the samba-technical
mailing list