[PATCH] documentation fixes and keytab handling regression

Alexander Bokovoy ab at samba.org
Fri Dec 2 10:56:03 UTC 2016


attached two patches improve documentation for 'logon script' and
'dedicated keytab file' options.

The second patch also fixes a regression introduced by the commit
c2f5c30b which broke specifying storage access format for keytabs.

/ Alexander Bokovoy
-------------- next part --------------
>From dacf1ffbc6a39c5f935faef91560e92f67769dce Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <ab at samba.org>
Date: Thu, 10 Nov 2016 11:07:42 +0200
Subject: [PATCH 1/2] logon script: clarify usage for different Samba roles

'logon script' is only used when Samba runs as a logon server in the
classical domain controller role. And even there 'ldapsam' passdb
backend will override it.

For Samba AD setup 'logon script' is not used at all.

Signed-off-by: Alexander Bokovoy <ab at samba.org>

 docs-xml/smbdotconf/logon/logonscript.xml | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/docs-xml/smbdotconf/logon/logonscript.xml b/docs-xml/smbdotconf/logon/logonscript.xml
index 0a8d69d..f0ec8f0 100644
--- a/docs-xml/smbdotconf/logon/logonscript.xml
+++ b/docs-xml/smbdotconf/logon/logonscript.xml
@@ -43,7 +43,11 @@
-	This option is only useful if Samba is set up as a logon server.
+	This option is only useful if Samba is set up as a logon server in a classical domain controller role.
+        If Samba is set up as an Active Directory domain controller, LDAP attribute <filename moreinfo="none">scriptPath</filename>
+        is used instead. For configurations where <smbconfoption name="passdb backend">ldapsam</smbconfoption> is in use,
+        this option only defines a default value in case LDAP attribute <filename moreinfo="none">sambaLogonScript</filename>
+        is missing.
 <value type="default"></value>

-------------- next part --------------
>From 6f838f400feb9b39a39f189e27fd23f804e157b0 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <ab at samba.org>
Date: Fri, 2 Dec 2016 12:39:52 +0200
Subject: [PATCH 2/2] krb5_samba: support storage prefix for keytabs

Commit c2f5c30b broke specifying keytab storage format in 'dedicated
keytab file'. Previously we passed the keytab path as it is to the
underlying Kerberos library and it was handling own prefixes. Both
Heimdal and MIT Kerberos libraries support WRFILE: and FILE: prefixes.

With Samba 4.5.0 we are not allowing to specify them. This breaks
existing setups, including FreeIPA which for several years did specify
FILE:/etc/samba/samba.keytab for 'dedicated keytab file'.

Clarify documentation and allow supporting prefixes in the keytab path

Signed-off-by: Alexander Bokovoy <ab at samba.org>

 docs-xml/smbdotconf/security/dedicatedkeytabfile.xml | 10 ++++++++++
 lib/krb5_wrap/krb5_samba.c                           |  6 +++++-
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/docs-xml/smbdotconf/security/dedicatedkeytabfile.xml b/docs-xml/smbdotconf/security/dedicatedkeytabfile.xml
index d516315..c7b1ef1 100644
--- a/docs-xml/smbdotconf/security/dedicatedkeytabfile.xml
+++ b/docs-xml/smbdotconf/security/dedicatedkeytabfile.xml
@@ -9,6 +9,16 @@
 	  <smbconfoption name="kerberos method"/> is set to "dedicated
+	<para>
+	  The path can optionally be prefixed with either WRFILE: or FILE:
+	  to signify use of the keytab for the Kerberos library Samba uses.
+	  WRFILE: allows Samba to add or remove credentials in the keytab,
+	  FILE: allows only to read credentials.
+	</para>
+	<para>
+	  From Samba perspective, using FILE: prefix is equivalent to specifying
+	  file path without any prefix.
+	</para>
 <related>kerberos method</related>
 <value type="default"/>
diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
index 28884d9..29a5aba 100644
--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
@@ -1132,7 +1132,11 @@ krb5_error_code smb_krb5_kt_open(krb5_context context,
 	if (keytab_name_req != NULL) {
 		if (keytab_name_req[0] != '/') {
-			return KRB5_KT_BADNAME;
+			char *prefix = strchr(keytab_name_req, ':');
+			if ((prefix != NULL) &&
+			    (prefix[1] != '/')) {
+				return KRB5_KT_BADNAME;
+			}

More information about the samba-technical mailing list