[PACTHSET] Some patches from the MIT KDC branch
Stefan (metze) Metzmacher
metze at samba.org
Thu Jul 9 08:28:29 UTC 2015
Hi Andreas,
>>> From cbb6a9e9148a911431fa9c1ba722df3ec9f08bd2 Mon Sep 17 00:00:00 2001
>>> From: Andreas Schneider <asn at samba.org>
>>> Date: Mon, 26 Jan 2015 19:30:36 +0100
>>> Subject: [PATCH 1/8] samba_dnsupdate: Use selftest krb5.conf.
>>>
>>> This fixes a chicken and egg problem in selftest.
>>>
>>> Signed-off-by: Andreas Schneider <asn at samba.org>
>>> ---
>>>
>>> source4/scripting/bin/samba_dnsupdate | 15 +++++++++++----
>>> 1 file changed, 11 insertions(+), 4 deletions(-)
>>>
>>> diff --git a/source4/scripting/bin/samba_dnsupdate
>>> b/source4/scripting/bin/samba_dnsupdate index 7f94067..8cddea0 100755
>>> --- a/source4/scripting/bin/samba_dnsupdate
>>> +++ b/source4/scripting/bin/samba_dnsupdate
>>>
>>> @@ -507,10 +507,17 @@ if opts.update_cache:
>>> else:
>>> dns_update_cache = lp.private_path('dns_update_cache')
>>>
>>> -# use our private krb5.conf to avoid problems with the wrong domain
>>> -# bind9 nsupdate wants the default domain set
>>> -krb5conf = lp.private_path('krb5.conf')
>>> -os.environ['KRB5_CONFIG'] = krb5conf
>>> +# The selftest chicken-egg problem:
>>> +#
>>> +# This script sets up the initial name server entries in our selftest
>>> +# environment. It asks for a kerberos ticket but if it can't find it if
>>> +# it asks the nameserver cause the required entry is not there yet.
>>> +resolv_wrapper = os.getenv('RESOLV_WRAPPER')
>>> +if resolv_wrapper:
>>> + # use our private krb5.conf to avoid problems with the wrong domain
>>> + # bind9 nsupdate wants the default domain set
>>> + krb5conf = lp.private_path('krb5.conf')
>>> + os.environ['KRB5_CONFIG'] = krb5conf
>>
>> I'm pretty sure I nacked exactly this patch a few month ago.
>>
>> I don't understand what this change is supposed to do.
>> Who will every set RESOLV_WRAPPER ? We only have RESOLV_WRAPPER_CONF
>> and RESOLV_WRAPPER_HOSTS.
>>
>> But still I don't understand it.
>>
>> The real fix is to just have one krb5.conf in selftest envs.
>
> The thing is that selftest creates a krb5.conf for the daemons and samba-tool
> creates one during provision.
>
> st/ad_dc_ntvfs/etc/krb5.conf is the one selftest creates which has the ip
> addresses for the kdc in the config file
Would it work to use st/ad_dc_ntvfs/private/krb5.conf here too,
so that provision will just overwrite it.
> st/ad_dc_ntvfs/private/krb5.conf is the config samba-tool creates.
>
> It might be the correct fix is:
> https://git.samba.org/?p=asn/samba.git;a=commitdiff;h=fab9ae4e0d7d175a7c4f5af969231a4116c1a2db
Reviewed-by: me
This is correct for sure, see the other discussion around
dns_lookup_realm = false on the list.
metze
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20150709/0cfe6f50/signature.sig>
More information about the samba-technical
mailing list