[PACTHSET] Some patches from the MIT KDC branch
Andreas Schneider
asn at samba.org
Thu Jul 9 09:22:00 UTC 2015
On Thursday 09 July 2015 10:28:29 Stefan Metzmacher wrote:
> Hi Andreas,
>
> >>> From cbb6a9e9148a911431fa9c1ba722df3ec9f08bd2 Mon Sep 17 00:00:00 2001
> >>> From: Andreas Schneider <asn at samba.org>
> >>> Date: Mon, 26 Jan 2015 19:30:36 +0100
> >>> Subject: [PATCH 1/8] samba_dnsupdate: Use selftest krb5.conf.
> >>>
> >>> This fixes a chicken and egg problem in selftest.
> >>>
> >>> Signed-off-by: Andreas Schneider <asn at samba.org>
> >>> ---
> >>>
> >>> source4/scripting/bin/samba_dnsupdate | 15 +++++++++++----
> >>> 1 file changed, 11 insertions(+), 4 deletions(-)
> >>>
> >>> diff --git a/source4/scripting/bin/samba_dnsupdate
> >>> b/source4/scripting/bin/samba_dnsupdate index 7f94067..8cddea0 100755
> >>> --- a/source4/scripting/bin/samba_dnsupdate
> >>> +++ b/source4/scripting/bin/samba_dnsupdate
> >>>
> >>> @@ -507,10 +507,17 @@ if opts.update_cache:
> >>> else:
> >>> dns_update_cache = lp.private_path('dns_update_cache')
> >>>
> >>> -# use our private krb5.conf to avoid problems with the wrong domain
> >>> -# bind9 nsupdate wants the default domain set
> >>> -krb5conf = lp.private_path('krb5.conf')
> >>> -os.environ['KRB5_CONFIG'] = krb5conf
> >>> +# The selftest chicken-egg problem:
> >>> +#
> >>> +# This script sets up the initial name server entries in our selftest
> >>> +# environment. It asks for a kerberos ticket but if it can't find it if
> >>> +# it asks the nameserver cause the required entry is not there yet.
> >>> +resolv_wrapper = os.getenv('RESOLV_WRAPPER')
> >>> +if resolv_wrapper:
> >>> + # use our private krb5.conf to avoid problems with the wrong domain
> >>> + # bind9 nsupdate wants the default domain set
> >>> + krb5conf = lp.private_path('krb5.conf')
> >>> + os.environ['KRB5_CONFIG'] = krb5conf
> >>
> >> I'm pretty sure I nacked exactly this patch a few month ago.
> >>
> >> I don't understand what this change is supposed to do.
> >> Who will every set RESOLV_WRAPPER ? We only have RESOLV_WRAPPER_CONF
> >> and RESOLV_WRAPPER_HOSTS.
> >>
> >> But still I don't understand it.
> >>
> >> The real fix is to just have one krb5.conf in selftest envs.
> >
> > The thing is that selftest creates a krb5.conf for the daemons and
> > samba-tool creates one during provision.
> >
> > st/ad_dc_ntvfs/etc/krb5.conf is the one selftest creates which has the ip
> > addresses for the kdc in the config file
>
> Would it work to use st/ad_dc_ntvfs/private/krb5.conf here too,
> so that provision will just overwrite it.
No, cause it also configures additional realms, pkinit etc.
> > st/ad_dc_ntvfs/private/krb5.conf is the config samba-tool creates.
> >
> > It might be the correct fix is:
> > https://git.samba.org/?p=asn/samba.git;a=commitdiff;h=fab9ae4e0d7d175a7c4f
> > 5af969231a4116c1a2db
> Reviewed-by: me
>
> This is correct for sure, see the other discussion around
> dns_lookup_realm = false on the list.
>
> metze
--
Andreas Schneider GPG-ID: CC014E3D
Samba Team asn at samba.org
www.samba.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20150709/485a9d2c/signature.sig>
More information about the samba-technical
mailing list