Samba and krb5.conf

Richard Sharpe realrichardsharpe at gmail.com
Sat Apr 18 15:56:16 MDT 2015


On Sat, Apr 18, 2015 at 11:16 AM, Simo <simo at samba.org> wrote:
> On Fri, 2015-04-17 at 18:42 -0700, Kenny Dinh wrote:
>> Yes, that is exactly what I will do.
>
> No, don't rebuild anything, it's completely unnecessary.
>
> The correct way to set local configuration variables for init scripts on
> RHEL-like systems is to set them in /etc/sysconfig/samba which is
> sourced by the init script (or the unit files on RHEL7 where systemd is
> used).

Hmmm, I didn't know that ... good info.

> The sysconfig file will not be touched on updates and your env vars
> settings will be preserved.
>
> Simo.
>
>> On Fri, Apr 17, 2015 at 6:37 PM, Richard Sharpe
>> <realrichardsharpe at gmail.com> wrote:
>>         On Fri, Apr 17, 2015 at 6:20 PM, Richard Sharpe
>>         <realrichardsharpe at gmail.com> wrote:
>>         > On Fri, Apr 17, 2015 at 5:48 PM, Kenny Dinh
>>         <kdinh at peaxy.net> wrote:
>>         >> I added
>>         >>    export KRB5_CONFIG=/home/krb5.conf
>>         >>    echo "KRB5_CONFIG is $KRB5_CONFIG"
>>         >>
>>         >> into /etc/init.d/smb, /etc/init.d/winbind as well
>>         as /etc/init.d/ctdb.  That
>>         >> fixed my issue.
>>         >>
>>         >> It took me some times to verify that because I forgot to
>>         add the EV
>>         >> KRB5_CONFIG to winbind start script, and also forgot to
>>         change permission on
>>         >> the /home/krb5.conf file, in the first few times.
>>         >
>>         > OK, that is good. Remember that if you start smbd and
>>         winbindd
>>         > manually, this will not be done, so you might want that env
>>         variable
>>         > defined in root's bashrc or something, or you might want to
>>         create a
>>         > script for restarting samba.
>>
>>         There's one more thing.
>>
>>         You guys use RPMs for packaging, and that script you modified
>>         is
>>         installed via RPMs.
>>
>>         You will need to rebuilt the Samba RPM with that script
>>         modified.
>>
>>         I left instructions on how to do that. Remember to rev the
>>         extraversion number whenever you rebuild an RPM so you know
>>         which RPMs
>>         have which changes etc.
>>
>>         Briefly, find the sources, especially the source to that
>>         script file,
>>         then modify the extraversion field in the SPEC file and then
>>         rpmbuild
>>         -ba path/to/samba-spec-file
>>
>>         >> Thank you, Richard, and Simo.
>>         >> Your help was much appreciated.
>>         >> ~Kenny
>>         >>
>>         >>
>>         >>
>>         >> On Fri, Apr 17, 2015 at 4:20 PM, Richard Sharpe
>>         >> <realrichardsharpe at gmail.com> wrote:
>>         >>>
>>         >>> On Fri, Apr 17, 2015 at 3:16 PM, Kenny Dinh
>>         <kdinh at peaxy.net> wrote:
>>         >>> >
>>         >>> >> Set the environment variable KRB5_CONFIG to another
>>         file in the samba
>>         >>> >> unit file/startup script ?
>>         >>> >
>>         >>> > I'm not sure I understood this approach.  Could you help
>>         elaborate?  Are
>>         >>> > you
>>         >>> > referring to Samba4/InitScript or
>>         the /etc/rc.d/init.d/smb script file?
>>         >>> > My understanding is that smbd is run as a service so all
>>         environment
>>         >>> > variables such as KRB5_CONFIG will be discarded.
>>         >>>
>>         >>> Since your environment is CentOS 6.x, you probably want to
>>         put
>>         >>> something like the following in the Samba start script for
>>         CentOS 6.x:
>>         >>>
>>         >>>    export KRB5_CONFIG=/path/to/empty/krb5.conf
>>         >>>
>>         >>> > On Fri, Apr 17, 2015 at 3:02 PM, Simo <simo at samba.org>
>>         wrote:
>>         >>> >>
>>         >>> >> On Fri, 2015-04-17 at 14:16 -0700, Kenny Dinh wrote:
>>         >>> >> > Richard,
>>         >>> >> >
>>         >>> >> > It is possible to run the conflicting application in
>>         a container, but
>>         >>> >> > I
>>         >>> >> > cannot prevent future applications.
>>         >>> >> >
>>         >>> >> > I will look into the alternative method, make the
>>         kerberos libraries
>>         >>> >> > linked
>>         >>> >> > to Samba use a different location of krb5.conf rather
>>         than
>>         >>> >> > /etc/krb5.conf.
>>         >>> >> > I have been looking at the wrong place all this time.
>>         >>> >> >
>>         >>> >> > Thanks for the pointer!
>>         >>> >> > ~Kenny
>>         >>> >>
>>         >>> >> Set the environment variable KRB5_CONFIG to another
>>         file in the samba
>>         >>> >> unit file/startup script ?
>>         >>> >>
>>         >>> >> Simo.
>>         >>> >>
>>         >>> >> > On Fri, Apr 17, 2015 at 2:02 PM, Richard Sharpe
>>         >>> >> > <realrichardsharpe at gmail.com
>>         >>> >> > > wrote:
>>         >>> >> >
>>         >>> >> > > On Fri, Apr 17, 2015 at 1:09 PM, Kenny Dinh
>>         <kdinh at peaxy.net>
>>         >>> >> > > wrote:
>>         >>> >> > > > Greeting,
>>         >>> >> > > >
>>         >>> >> > > > We are using Samba 4.1.13 on CentOS and was
>>         having issue
>>         >>> >> > > > authenticating
>>         >>> >> > > > user that was created in a subdomain.
>>         >>> >> > > >
>>         >>> >> > > > We found out that another application had updated
>>         the
>>         >>> >> > > > /etc/krb5.conf
>>         >>> >> > > > to
>>         >>> >> > > > match its need, and Samba was not happy about it.
>>         When we
>>         >>> >> > > > deleted
>>         >>> >> > > > the
>>         >>> >> > > > /etc/krb5.conf, Samba was able to authenticate
>>         user from a
>>         >>> >> > > > subdomain
>>         >>> >> > > > (smbclient //localhost/share -U<subdomain>\
>>         \<user>%<password>)
>>         >>> >> > > >
>>         >>> >> > > > Note that SAMBA4_USES_HEIMDAL was not defined.
>>         >>> >> > > > This is my smb.conf
>>         >>> >> > > >
>>         >>> >> > > > # net conf list
>>         >>> >> > > > [global]
>>         >>> >> > > > idmap config *:backend = tdb
>>         >>> >> > > > idmap config *:range = 1000000-100000000
>>         >>> >> > > > idmap config *:script = /usr/mydir/bin/idmap
>>         >>> >> > > > workgroup = REPUBLIC
>>         >>> >> > > > realm = REPUBLIC.WINDC
>>         >>> >> > > > security = ads
>>         >>> >> > > > netbios name = testbox1
>>         >>> >> > > > log level = 10
>>         >>> >> > > >
>>         >>> >> > > > [blah]
>>         >>> >> > > > path = /
>>         >>> >> > > > comment = sdakjhkjh
>>         >>> >> > > > guest ok = no
>>         >>> >> > > > read only = no
>>         >>> >> > > > browseable = yes
>>         >>> >> > > >
>>         >>> >> > > > I noticed that the code path went
>>         >>> >> > > > through
>>         create_local_private_krb5_conf_for_domain() function and
>>         >>> >> > > > created
>>         >>> >> > > > its own krb5.conf.  Toward the end of the
>>         function, the code also
>>         >>> >> > > > set the
>>         >>> >> > > > KRB5_CONFIG environment variable to "
>>         >>> >> > > > /var/lib/samba/smb_krb5/krb5.conf.REPUBLIC"
>>         >>> >> > > >
>>         >>> >> > > > Here's a snippet of the log:
>>         >>> >> > > > /var/log/samba/log.smbd:[2015/04/17
>>         10:19:25.083196,  5,
>>         >>> >> > > > pid=9003,
>>         >>> >> > > > effective(0, 0), real(0, 0)]
>>         >>> >> > > >
>>         >>> >> > >
>>         >>> >> > >
>>         >>> >> >
>>         > ../source3/libads/kerberos.c:925(create_local_private_krb5_conf_for_domain)
>>         >>> >> > > > /var/log/samba/log.smbd:
>>         >>> >> > > > create_local_private_krb5_conf_for_domain:
>>         >>> >> > > wrote
>>         >>> >> > > > file /var/lib/samba/smb_krb5/krb5.conf.REPUBLIC
>>         with realm
>>         >>> >> > > > REPUBLIC.WINDC
>>         >>> >> > > > KDC list = kdc = 10.0.3.1
>>         >>> >> > > >
>>         >>> >> > > > I searched through samba code for krb5.conf and
>>         found that
>>         >>> >> > > > "krb5_config_file" in source4\heimdal\lib\krb5
>>         \constants.c seems
>>         >>> >> > > > to
>>         >>> >> > > > be
>>         >>> >> > > the
>>         >>> >> > > > only place that make use of krb5.conf files
>>         location.  Also the
>>         >>> >> > > > function
>>         >>> >> > > > where "krb5_config_file" is used in
>>         krb5_init_context() defined
>>         >>> >> > > > in
>>         >>> >> > > > source4\heimdal\lib\krb5\context.c.  However, it
>>         seems that the
>>         >>> >> > > > code
>>         >>> >> > > > was
>>         >>> >> > > > never executed.  I place additional DEBUG message
>>         in that code
>>         >>> >> > > > path
>>         >>> >> > > > but
>>         >>> >> > > > none appear.
>>         >>> >> > > >
>>         >>> >> > > > This is the variable I was referring to.
>>         >>> >> > > > KRB5_LIB_VARIABLE const char *krb5_config_file =
>>         >>> >> > > >
>>         >>> >> > > > It seems Samba expects the default location for
>>         krb5.conf to be
>>         >>> >> > > > located
>>         >>> >> > > at
>>         >>> >> > > > /etc/krb5.conf.  However, I couldn't find the
>>         location in the
>>         >>> >> > > > code
>>         >>> >> > > > where
>>         >>> >> > > > Samba is looking for /etc/krb5.conf.  Another
>>         thing that confuses
>>         >>> >> > > > me
>>         >>> >> > > > is
>>         >>> >> > > why
>>         >>> >> > > > does Samba look into /etc/krb5.conf when it was
>>         already creating
>>         >>> >> > > > its
>>         >>> >> > > > own
>>         >>> >> > > > krb5.conf file.
>>         >>> >> > > >
>>         >>> >> > > > My goal is to prevent Samba from looking
>>         at /etc/krb5.conf to
>>         >>> >> > > > avoid
>>         >>> >> > > > conflicts between Samba and any other
>>         applications that would
>>         >>> >> > > > modify
>>         >>> >> > > > /etc/krb5.conf.
>>         >>> >> > > >
>>         >>> >> > > > Could someone point me to the code to do that?
>>         >>> >> > >
>>         >>> >> > > It's likely the kerberos libraries that are looking
>>         in that file.
>>         >>> >> > > Samba really works best if you tell it to use DNS
>>         to look up
>>         >>> >> > > services
>>         >>> >> > > and realms, so an empty krb5.conf file works.
>>         >>> >> > >
>>         >>> >> > > However, if you need a krb5.conf for another
>>         application, is it
>>         >>> >> > > possible to run that application in a jail or
>>         container?
>>         >>> >> > >
>>         >>> >> > > Alternatively, you might have to make the kerberos
>>         libraries linked
>>         >>> >> > > to
>>         >>> >> > > Samba use a different location or not use
>>         krb5.conf.
>>
>>
>>
>>         --
>>         Regards,
>>         Richard Sharpe
>>         (何以解憂?唯有杜康。--曹操)
>>
>>
>>
>
>
> --
> Simo Sorce
>



-- 
Regards,
Richard Sharpe
(何以解憂?唯有杜康。--曹操)


More information about the samba-technical mailing list