[PATCH] libads: fixes to generation of custom krb5.conf

Uri Simchoni urisimchoni at gmail.com
Thu Jun 4 13:00:09 MDT 2015


DEFAULT_KRB5_PORT is in kerberos.c. Can someone suggest a good place
to put it, so that both namequery.c (which is about name resolving -
DNS) and kerberos.h (which is about.. kerberos) can see it?

Thanks,
Uri.

On Thu, Jun 4, 2015 at 9:25 PM, Jeremy Allison <jra at samba.org> wrote:
> On Thu, Jun 04, 2015 at 10:09:40AM +0300, Uri Simchoni wrote:
>> Hi,
>>
>> Attached pls find some fixes to generation of custom krb5.conf -
>> libads creates this file in order to help the kerberos client libs do
>> AD-aware and specifically site-aware kerberos.
>>
>> Patch 1/4 - fix indentation of kdcs in case of multiple kdcs
>> Patch 2/4 - when doing SRV queries, lookup _kerberos records and not
>> _ldap records. This also fixes a bug in which only KDCs of the current
>> site are listed, and KDCs of site-less query are not listed
>> Patch 3/4 - correctly merge lists, to avoid same IP address coming up
>> twice (well, maybe this one is needed because of the 2/4 fix..)
>
> In patch 3:
>
> +               port = (lookup_type == DC_ADS_ONLY) ? LDAP_PORT :
> +                       ((lookup_type == DC_KDC_ONLY) ? 88 : PORT_NONE);
>
> should be:
>
> +               port = (lookup_type == DC_ADS_ONLY) ? LDAP_PORT :
> +                       ((lookup_type == DC_KDC_ONLY) ? DEFAULT_KRB5_PORT : PORT_NONE);
>
> just so we don't use 88 directly and have one place
> to change all instances of it.
>
>> Patch 4/4 - make sure the "known good server" from the
>> session-affinity cache always appears first in the generated krb5.conf
>> file.
>
> Patch 4 is very clever :-). Well done !
>
>> Please review,
>> Uri.
>
> With the minor change in #3 above, 'Reviewed-by: Jeremy Allison <jra at samba.org>'
>
> Can I get a second Team reviewer ?
>
> Cheers,
>
>         Jeremy.


More information about the samba-technical mailing list