Samba and krb5.conf
Richard Sharpe
realrichardsharpe at gmail.com
Sat Apr 18 15:56:16 MDT 2015
On Sat, Apr 18, 2015 at 11:16 AM, Simo <simo at samba.org> wrote:
> On Fri, 2015-04-17 at 18:42 -0700, Kenny Dinh wrote:
>> Yes, that is exactly what I will do.
>
> No, don't rebuild anything, it's completely unnecessary.
>
> The correct way to set local configuration variables for init scripts on
> RHEL-like systems is to set them in /etc/sysconfig/samba which is
> sourced by the init script (or the unit files on RHEL7 where systemd is
> used).
Hmmm, I didn't know that ... good info.
> The sysconfig file will not be touched on updates and your env vars
> settings will be preserved.
>
> Simo.
>
>> On Fri, Apr 17, 2015 at 6:37 PM, Richard Sharpe
>> <realrichardsharpe at gmail.com> wrote:
>> On Fri, Apr 17, 2015 at 6:20 PM, Richard Sharpe
>> <realrichardsharpe at gmail.com> wrote:
>> > On Fri, Apr 17, 2015 at 5:48 PM, Kenny Dinh
>> <kdinh at peaxy.net> wrote:
>> >> I added
>> >> export KRB5_CONFIG=/home/krb5.conf
>> >> echo "KRB5_CONFIG is $KRB5_CONFIG"
>> >>
>> >> into /etc/init.d/smb, /etc/init.d/winbind as well
>> as /etc/init.d/ctdb. That
>> >> fixed my issue.
>> >>
>> >> It took me some times to verify that because I forgot to
>> add the EV
>> >> KRB5_CONFIG to winbind start script, and also forgot to
>> change permission on
>> >> the /home/krb5.conf file, in the first few times.
>> >
>> > OK, that is good. Remember that if you start smbd and
>> winbindd
>> > manually, this will not be done, so you might want that env
>> variable
>> > defined in root's bashrc or something, or you might want to
>> create a
>> > script for restarting samba.
>>
>> There's one more thing.
>>
>> You guys use RPMs for packaging, and that script you modified
>> is
>> installed via RPMs.
>>
>> You will need to rebuilt the Samba RPM with that script
>> modified.
>>
>> I left instructions on how to do that. Remember to rev the
>> extraversion number whenever you rebuild an RPM so you know
>> which RPMs
>> have which changes etc.
>>
>> Briefly, find the sources, especially the source to that
>> script file,
>> then modify the extraversion field in the SPEC file and then
>> rpmbuild
>> -ba path/to/samba-spec-file
>>
>> >> Thank you, Richard, and Simo.
>> >> Your help was much appreciated.
>> >> ~Kenny
>> >>
>> >>
>> >>
>> >> On Fri, Apr 17, 2015 at 4:20 PM, Richard Sharpe
>> >> <realrichardsharpe at gmail.com> wrote:
>> >>>
>> >>> On Fri, Apr 17, 2015 at 3:16 PM, Kenny Dinh
>> <kdinh at peaxy.net> wrote:
>> >>> >
>> >>> >> Set the environment variable KRB5_CONFIG to another
>> file in the samba
>> >>> >> unit file/startup script ?
>> >>> >
>> >>> > I'm not sure I understood this approach. Could you help
>> elaborate? Are
>> >>> > you
>> >>> > referring to Samba4/InitScript or
>> the /etc/rc.d/init.d/smb script file?
>> >>> > My understanding is that smbd is run as a service so all
>> environment
>> >>> > variables such as KRB5_CONFIG will be discarded.
>> >>>
>> >>> Since your environment is CentOS 6.x, you probably want to
>> put
>> >>> something like the following in the Samba start script for
>> CentOS 6.x:
>> >>>
>> >>> export KRB5_CONFIG=/path/to/empty/krb5.conf
>> >>>
>> >>> > On Fri, Apr 17, 2015 at 3:02 PM, Simo <simo at samba.org>
>> wrote:
>> >>> >>
>> >>> >> On Fri, 2015-04-17 at 14:16 -0700, Kenny Dinh wrote:
>> >>> >> > Richard,
>> >>> >> >
>> >>> >> > It is possible to run the conflicting application in
>> a container, but
>> >>> >> > I
>> >>> >> > cannot prevent future applications.
>> >>> >> >
>> >>> >> > I will look into the alternative method, make the
>> kerberos libraries
>> >>> >> > linked
>> >>> >> > to Samba use a different location of krb5.conf rather
>> than
>> >>> >> > /etc/krb5.conf.
>> >>> >> > I have been looking at the wrong place all this time.
>> >>> >> >
>> >>> >> > Thanks for the pointer!
>> >>> >> > ~Kenny
>> >>> >>
>> >>> >> Set the environment variable KRB5_CONFIG to another
>> file in the samba
>> >>> >> unit file/startup script ?
>> >>> >>
>> >>> >> Simo.
>> >>> >>
>> >>> >> > On Fri, Apr 17, 2015 at 2:02 PM, Richard Sharpe
>> >>> >> > <realrichardsharpe at gmail.com
>> >>> >> > > wrote:
>> >>> >> >
>> >>> >> > > On Fri, Apr 17, 2015 at 1:09 PM, Kenny Dinh
>> <kdinh at peaxy.net>
>> >>> >> > > wrote:
>> >>> >> > > > Greeting,
>> >>> >> > > >
>> >>> >> > > > We are using Samba 4.1.13 on CentOS and was
>> having issue
>> >>> >> > > > authenticating
>> >>> >> > > > user that was created in a subdomain.
>> >>> >> > > >
>> >>> >> > > > We found out that another application had updated
>> the
>> >>> >> > > > /etc/krb5.conf
>> >>> >> > > > to
>> >>> >> > > > match its need, and Samba was not happy about it.
>> When we
>> >>> >> > > > deleted
>> >>> >> > > > the
>> >>> >> > > > /etc/krb5.conf, Samba was able to authenticate
>> user from a
>> >>> >> > > > subdomain
>> >>> >> > > > (smbclient //localhost/share -U<subdomain>\
>> \<user>%<password>)
>> >>> >> > > >
>> >>> >> > > > Note that SAMBA4_USES_HEIMDAL was not defined.
>> >>> >> > > > This is my smb.conf
>> >>> >> > > >
>> >>> >> > > > # net conf list
>> >>> >> > > > [global]
>> >>> >> > > > idmap config *:backend = tdb
>> >>> >> > > > idmap config *:range = 1000000-100000000
>> >>> >> > > > idmap config *:script = /usr/mydir/bin/idmap
>> >>> >> > > > workgroup = REPUBLIC
>> >>> >> > > > realm = REPUBLIC.WINDC
>> >>> >> > > > security = ads
>> >>> >> > > > netbios name = testbox1
>> >>> >> > > > log level = 10
>> >>> >> > > >
>> >>> >> > > > [blah]
>> >>> >> > > > path = /
>> >>> >> > > > comment = sdakjhkjh
>> >>> >> > > > guest ok = no
>> >>> >> > > > read only = no
>> >>> >> > > > browseable = yes
>> >>> >> > > >
>> >>> >> > > > I noticed that the code path went
>> >>> >> > > > through
>> create_local_private_krb5_conf_for_domain() function and
>> >>> >> > > > created
>> >>> >> > > > its own krb5.conf. Toward the end of the
>> function, the code also
>> >>> >> > > > set the
>> >>> >> > > > KRB5_CONFIG environment variable to "
>> >>> >> > > > /var/lib/samba/smb_krb5/krb5.conf.REPUBLIC"
>> >>> >> > > >
>> >>> >> > > > Here's a snippet of the log:
>> >>> >> > > > /var/log/samba/log.smbd:[2015/04/17
>> 10:19:25.083196, 5,
>> >>> >> > > > pid=9003,
>> >>> >> > > > effective(0, 0), real(0, 0)]
>> >>> >> > > >
>> >>> >> > >
>> >>> >> > >
>> >>> >> >
>> > ../source3/libads/kerberos.c:925(create_local_private_krb5_conf_for_domain)
>> >>> >> > > > /var/log/samba/log.smbd:
>> >>> >> > > > create_local_private_krb5_conf_for_domain:
>> >>> >> > > wrote
>> >>> >> > > > file /var/lib/samba/smb_krb5/krb5.conf.REPUBLIC
>> with realm
>> >>> >> > > > REPUBLIC.WINDC
>> >>> >> > > > KDC list = kdc = 10.0.3.1
>> >>> >> > > >
>> >>> >> > > > I searched through samba code for krb5.conf and
>> found that
>> >>> >> > > > "krb5_config_file" in source4\heimdal\lib\krb5
>> \constants.c seems
>> >>> >> > > > to
>> >>> >> > > > be
>> >>> >> > > the
>> >>> >> > > > only place that make use of krb5.conf files
>> location. Also the
>> >>> >> > > > function
>> >>> >> > > > where "krb5_config_file" is used in
>> krb5_init_context() defined
>> >>> >> > > > in
>> >>> >> > > > source4\heimdal\lib\krb5\context.c. However, it
>> seems that the
>> >>> >> > > > code
>> >>> >> > > > was
>> >>> >> > > > never executed. I place additional DEBUG message
>> in that code
>> >>> >> > > > path
>> >>> >> > > > but
>> >>> >> > > > none appear.
>> >>> >> > > >
>> >>> >> > > > This is the variable I was referring to.
>> >>> >> > > > KRB5_LIB_VARIABLE const char *krb5_config_file =
>> >>> >> > > >
>> >>> >> > > > It seems Samba expects the default location for
>> krb5.conf to be
>> >>> >> > > > located
>> >>> >> > > at
>> >>> >> > > > /etc/krb5.conf. However, I couldn't find the
>> location in the
>> >>> >> > > > code
>> >>> >> > > > where
>> >>> >> > > > Samba is looking for /etc/krb5.conf. Another
>> thing that confuses
>> >>> >> > > > me
>> >>> >> > > > is
>> >>> >> > > why
>> >>> >> > > > does Samba look into /etc/krb5.conf when it was
>> already creating
>> >>> >> > > > its
>> >>> >> > > > own
>> >>> >> > > > krb5.conf file.
>> >>> >> > > >
>> >>> >> > > > My goal is to prevent Samba from looking
>> at /etc/krb5.conf to
>> >>> >> > > > avoid
>> >>> >> > > > conflicts between Samba and any other
>> applications that would
>> >>> >> > > > modify
>> >>> >> > > > /etc/krb5.conf.
>> >>> >> > > >
>> >>> >> > > > Could someone point me to the code to do that?
>> >>> >> > >
>> >>> >> > > It's likely the kerberos libraries that are looking
>> in that file.
>> >>> >> > > Samba really works best if you tell it to use DNS
>> to look up
>> >>> >> > > services
>> >>> >> > > and realms, so an empty krb5.conf file works.
>> >>> >> > >
>> >>> >> > > However, if you need a krb5.conf for another
>> application, is it
>> >>> >> > > possible to run that application in a jail or
>> container?
>> >>> >> > >
>> >>> >> > > Alternatively, you might have to make the kerberos
>> libraries linked
>> >>> >> > > to
>> >>> >> > > Samba use a different location or not use
>> krb5.conf.
>>
>>
>>
>> --
>> Regards,
>> Richard Sharpe
>> (何以解憂?唯有杜康。--曹操)
>>
>>
>>
>
>
> --
> Simo Sorce
>
--
Regards,
Richard Sharpe
(何以解憂?唯有杜康。--曹操)
More information about the samba-technical
mailing list