Samba and krb5.conf
Kenny Dinh
kdinh at peaxy.net
Mon Apr 20 12:27:34 MDT 2015
I added "KRB5_CONF=/<mydirpath>/krb5.conf" to /etc/sysconfig/ctdb and
/etc/sysconfig/samba, and that fixed the issue.
Thank you for suggesting an update proof and simple solution.
On Sat, Apr 18, 2015 at 2:56 PM, Richard Sharpe <realrichardsharpe at gmail.com
> wrote:
> On Sat, Apr 18, 2015 at 11:16 AM, Simo <simo at samba.org> wrote:
> > On Fri, 2015-04-17 at 18:42 -0700, Kenny Dinh wrote:
> >> Yes, that is exactly what I will do.
> >
> > No, don't rebuild anything, it's completely unnecessary.
> >
> > The correct way to set local configuration variables for init scripts on
> > RHEL-like systems is to set them in /etc/sysconfig/samba which is
> > sourced by the init script (or the unit files on RHEL7 where systemd is
> > used).
>
> Hmmm, I didn't know that ... good info.
>
> > The sysconfig file will not be touched on updates and your env vars
> > settings will be preserved.
> >
> > Simo.
> >
> >> On Fri, Apr 17, 2015 at 6:37 PM, Richard Sharpe
> >> <realrichardsharpe at gmail.com> wrote:
> >> On Fri, Apr 17, 2015 at 6:20 PM, Richard Sharpe
> >> <realrichardsharpe at gmail.com> wrote:
> >> > On Fri, Apr 17, 2015 at 5:48 PM, Kenny Dinh
> >> <kdinh at peaxy.net> wrote:
> >> >> I added
> >> >> export KRB5_CONFIG=/home/krb5.conf
> >> >> echo "KRB5_CONFIG is $KRB5_CONFIG"
> >> >>
> >> >> into /etc/init.d/smb, /etc/init.d/winbind as well
> >> as /etc/init.d/ctdb. That
> >> >> fixed my issue.
> >> >>
> >> >> It took me some times to verify that because I forgot to
> >> add the EV
> >> >> KRB5_CONFIG to winbind start script, and also forgot to
> >> change permission on
> >> >> the /home/krb5.conf file, in the first few times.
> >> >
> >> > OK, that is good. Remember that if you start smbd and
> >> winbindd
> >> > manually, this will not be done, so you might want that env
> >> variable
> >> > defined in root's bashrc or something, or you might want to
> >> create a
> >> > script for restarting samba.
> >>
> >> There's one more thing.
> >>
> >> You guys use RPMs for packaging, and that script you modified
> >> is
> >> installed via RPMs.
> >>
> >> You will need to rebuilt the Samba RPM with that script
> >> modified.
> >>
> >> I left instructions on how to do that. Remember to rev the
> >> extraversion number whenever you rebuild an RPM so you know
> >> which RPMs
> >> have which changes etc.
> >>
> >> Briefly, find the sources, especially the source to that
> >> script file,
> >> then modify the extraversion field in the SPEC file and then
> >> rpmbuild
> >> -ba path/to/samba-spec-file
> >>
> >> >> Thank you, Richard, and Simo.
> >> >> Your help was much appreciated.
> >> >> ~Kenny
> >> >>
> >> >>
> >> >>
> >> >> On Fri, Apr 17, 2015 at 4:20 PM, Richard Sharpe
> >> >> <realrichardsharpe at gmail.com> wrote:
> >> >>>
> >> >>> On Fri, Apr 17, 2015 at 3:16 PM, Kenny Dinh
> >> <kdinh at peaxy.net> wrote:
> >> >>> >
> >> >>> >> Set the environment variable KRB5_CONFIG to another
> >> file in the samba
> >> >>> >> unit file/startup script ?
> >> >>> >
> >> >>> > I'm not sure I understood this approach. Could you help
> >> elaborate? Are
> >> >>> > you
> >> >>> > referring to Samba4/InitScript or
> >> the /etc/rc.d/init.d/smb script file?
> >> >>> > My understanding is that smbd is run as a service so all
> >> environment
> >> >>> > variables such as KRB5_CONFIG will be discarded.
> >> >>>
> >> >>> Since your environment is CentOS 6.x, you probably want to
> >> put
> >> >>> something like the following in the Samba start script for
> >> CentOS 6.x:
> >> >>>
> >> >>> export KRB5_CONFIG=/path/to/empty/krb5.conf
> >> >>>
> >> >>> > On Fri, Apr 17, 2015 at 3:02 PM, Simo <simo at samba.org>
> >> wrote:
> >> >>> >>
> >> >>> >> On Fri, 2015-04-17 at 14:16 -0700, Kenny Dinh wrote:
> >> >>> >> > Richard,
> >> >>> >> >
> >> >>> >> > It is possible to run the conflicting application in
> >> a container, but
> >> >>> >> > I
> >> >>> >> > cannot prevent future applications.
> >> >>> >> >
> >> >>> >> > I will look into the alternative method, make the
> >> kerberos libraries
> >> >>> >> > linked
> >> >>> >> > to Samba use a different location of krb5.conf rather
> >> than
> >> >>> >> > /etc/krb5.conf.
> >> >>> >> > I have been looking at the wrong place all this time.
> >> >>> >> >
> >> >>> >> > Thanks for the pointer!
> >> >>> >> > ~Kenny
> >> >>> >>
> >> >>> >> Set the environment variable KRB5_CONFIG to another
> >> file in the samba
> >> >>> >> unit file/startup script ?
> >> >>> >>
> >> >>> >> Simo.
> >> >>> >>
> >> >>> >> > On Fri, Apr 17, 2015 at 2:02 PM, Richard Sharpe
> >> >>> >> > <realrichardsharpe at gmail.com
> >> >>> >> > > wrote:
> >> >>> >> >
> >> >>> >> > > On Fri, Apr 17, 2015 at 1:09 PM, Kenny Dinh
> >> <kdinh at peaxy.net>
> >> >>> >> > > wrote:
> >> >>> >> > > > Greeting,
> >> >>> >> > > >
> >> >>> >> > > > We are using Samba 4.1.13 on CentOS and was
> >> having issue
> >> >>> >> > > > authenticating
> >> >>> >> > > > user that was created in a subdomain.
> >> >>> >> > > >
> >> >>> >> > > > We found out that another application had updated
> >> the
> >> >>> >> > > > /etc/krb5.conf
> >> >>> >> > > > to
> >> >>> >> > > > match its need, and Samba was not happy about it.
> >> When we
> >> >>> >> > > > deleted
> >> >>> >> > > > the
> >> >>> >> > > > /etc/krb5.conf, Samba was able to authenticate
> >> user from a
> >> >>> >> > > > subdomain
> >> >>> >> > > > (smbclient //localhost/share -U<subdomain>\
> >> \<user>%<password>)
> >> >>> >> > > >
> >> >>> >> > > > Note that SAMBA4_USES_HEIMDAL was not defined.
> >> >>> >> > > > This is my smb.conf
> >> >>> >> > > >
> >> >>> >> > > > # net conf list
> >> >>> >> > > > [global]
> >> >>> >> > > > idmap config *:backend = tdb
> >> >>> >> > > > idmap config *:range = 1000000-100000000
> >> >>> >> > > > idmap config *:script = /usr/mydir/bin/idmap
> >> >>> >> > > > workgroup = REPUBLIC
> >> >>> >> > > > realm = REPUBLIC.WINDC
> >> >>> >> > > > security = ads
> >> >>> >> > > > netbios name = testbox1
> >> >>> >> > > > log level = 10
> >> >>> >> > > >
> >> >>> >> > > > [blah]
> >> >>> >> > > > path = /
> >> >>> >> > > > comment = sdakjhkjh
> >> >>> >> > > > guest ok = no
> >> >>> >> > > > read only = no
> >> >>> >> > > > browseable = yes
> >> >>> >> > > >
> >> >>> >> > > > I noticed that the code path went
> >> >>> >> > > > through
> >> create_local_private_krb5_conf_for_domain() function and
> >> >>> >> > > > created
> >> >>> >> > > > its own krb5.conf. Toward the end of the
> >> function, the code also
> >> >>> >> > > > set the
> >> >>> >> > > > KRB5_CONFIG environment variable to "
> >> >>> >> > > > /var/lib/samba/smb_krb5/krb5.conf.REPUBLIC"
> >> >>> >> > > >
> >> >>> >> > > > Here's a snippet of the log:
> >> >>> >> > > > /var/log/samba/log.smbd:[2015/04/17
> >> 10:19:25.083196, 5,
> >> >>> >> > > > pid=9003,
> >> >>> >> > > > effective(0, 0), real(0, 0)]
> >> >>> >> > > >
> >> >>> >> > >
> >> >>> >> > >
> >> >>> >> >
> >> >
> ../source3/libads/kerberos.c:925(create_local_private_krb5_conf_for_domain)
> >> >>> >> > > > /var/log/samba/log.smbd:
> >> >>> >> > > > create_local_private_krb5_conf_for_domain:
> >> >>> >> > > wrote
> >> >>> >> > > > file /var/lib/samba/smb_krb5/krb5.conf.REPUBLIC
> >> with realm
> >> >>> >> > > > REPUBLIC.WINDC
> >> >>> >> > > > KDC list = kdc = 10.0.3.1
> >> >>> >> > > >
> >> >>> >> > > > I searched through samba code for krb5.conf and
> >> found that
> >> >>> >> > > > "krb5_config_file" in source4\heimdal\lib\krb5
> >> \constants.c seems
> >> >>> >> > > > to
> >> >>> >> > > > be
> >> >>> >> > > the
> >> >>> >> > > > only place that make use of krb5.conf files
> >> location. Also the
> >> >>> >> > > > function
> >> >>> >> > > > where "krb5_config_file" is used in
> >> krb5_init_context() defined
> >> >>> >> > > > in
> >> >>> >> > > > source4\heimdal\lib\krb5\context.c. However, it
> >> seems that the
> >> >>> >> > > > code
> >> >>> >> > > > was
> >> >>> >> > > > never executed. I place additional DEBUG message
> >> in that code
> >> >>> >> > > > path
> >> >>> >> > > > but
> >> >>> >> > > > none appear.
> >> >>> >> > > >
> >> >>> >> > > > This is the variable I was referring to.
> >> >>> >> > > > KRB5_LIB_VARIABLE const char *krb5_config_file =
> >> >>> >> > > >
> >> >>> >> > > > It seems Samba expects the default location for
> >> krb5.conf to be
> >> >>> >> > > > located
> >> >>> >> > > at
> >> >>> >> > > > /etc/krb5.conf. However, I couldn't find the
> >> location in the
> >> >>> >> > > > code
> >> >>> >> > > > where
> >> >>> >> > > > Samba is looking for /etc/krb5.conf. Another
> >> thing that confuses
> >> >>> >> > > > me
> >> >>> >> > > > is
> >> >>> >> > > why
> >> >>> >> > > > does Samba look into /etc/krb5.conf when it was
> >> already creating
> >> >>> >> > > > its
> >> >>> >> > > > own
> >> >>> >> > > > krb5.conf file.
> >> >>> >> > > >
> >> >>> >> > > > My goal is to prevent Samba from looking
> >> at /etc/krb5.conf to
> >> >>> >> > > > avoid
> >> >>> >> > > > conflicts between Samba and any other
> >> applications that would
> >> >>> >> > > > modify
> >> >>> >> > > > /etc/krb5.conf.
> >> >>> >> > > >
> >> >>> >> > > > Could someone point me to the code to do that?
> >> >>> >> > >
> >> >>> >> > > It's likely the kerberos libraries that are looking
> >> in that file.
> >> >>> >> > > Samba really works best if you tell it to use DNS
> >> to look up
> >> >>> >> > > services
> >> >>> >> > > and realms, so an empty krb5.conf file works.
> >> >>> >> > >
> >> >>> >> > > However, if you need a krb5.conf for another
> >> application, is it
> >> >>> >> > > possible to run that application in a jail or
> >> container?
> >> >>> >> > >
> >> >>> >> > > Alternatively, you might have to make the kerberos
> >> libraries linked
> >> >>> >> > > to
> >> >>> >> > > Samba use a different location or not use
> >> krb5.conf.
> >>
> >>
> >>
> >> --
> >> Regards,
> >> Richard Sharpe
> >> (何以解憂?唯有杜康。--曹操)
> >>
> >>
> >>
> >
> >
> > --
> > Simo Sorce
> >
>
>
>
> --
> Regards,
> Richard Sharpe
> (何以解憂?唯有杜康。--曹操)
>
More information about the samba-technical
mailing list