[PATCH] Include system /etc/krb5.conf if we use MIT Kerberos
Alexander Bokovoy
ab at samba.org
Wed Nov 30 13:21:03 UTC 2016
On ke, 30 marras 2016, Andreas Schneider wrote:
> The system /etc/krb5.conf defines some defaults like:
>
> default_ccache_name = KEYRING:persistent:%{uid}
>
> We need to respect that so should include it in our own created
> krb5.conf file.
>
>
>
> Review and push appreciated.
>
>
> Thanks,
>
>
> Andreas
>
> --
> Andreas Schneider GPG-ID: CC014E3D
> Samba Team asn at samba.org
> www.samba.org
> From bb8e620ce1cd97d5479440ffc84bc3abc639378d Mon Sep 17 00:00:00 2001
> From: Andreas Schneider <asn at samba.org>
> Date: Wed, 23 Nov 2016 14:39:47 +0100
> Subject: [PATCH 1/2] s3:param: Add an 'include system krb5 conf' option
>
> BUG: https://bugzilla.samba.org/show_bug.cgi?id=12441
>
> Signed-off-by: Andreas Schneider <asn at samba.org>
> ---
> docs-xml/smbdotconf/winbind/includesystemkrb5conf.xml | 14 ++++++++++++++
> source3/param/loadparm.c | 1 +
> 2 files changed, 15 insertions(+)
> create mode 100644 docs-xml/smbdotconf/winbind/includesystemkrb5conf.xml
>
> diff --git a/docs-xml/smbdotconf/winbind/includesystemkrb5conf.xml b/docs-xml/smbdotconf/winbind/includesystemkrb5conf.xml
> new file mode 100644
> index 0000000..91ac3a0
> --- /dev/null
> +++ b/docs-xml/smbdotconf/winbind/includesystemkrb5conf.xml
> @@ -0,0 +1,14 @@
> +<samba:parameter name="include system krb5 conf"
> + context="G"
> + type="boolean"
> + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
> +<description>
> + <para>
> + Setting this parameter to <value type="example">no</value> will prevent
> + winbind to include the system /etc/krb5.conf file into the krb5.conf file
> + it creates. See also <smbconfoption name="create krb5 conf"/>.
> + </para>
This does not work for Heimdal, so you should actually say that in the
documentation.
> +
> +</description>
> +<value type="default">yes</value>
> +</samba:parameter>
> diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
> index dc551eb..d8da749 100644
> --- a/source3/param/loadparm.c
> +++ b/source3/param/loadparm.c
> @@ -711,6 +711,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
> Globals.reset_on_zero_vc = false;
> Globals.log_writeable_files_on_exit = false;
> Globals.create_krb5_conf = true;
> + Globals.include_system_krb5_conf = true;
> Globals._winbind_max_domain_connections = 1;
>
> /* hostname lookups can be very expensive and are broken on
> --
> 2.10.2
>
>
> From 4a3831a761625238ecda478e58a5890dcbe1c604 Mon Sep 17 00:00:00 2001
> From: Andreas Schneider <asn at samba.org>
> Date: Wed, 23 Nov 2016 14:40:42 +0100
> Subject: [PATCH 2/2] s3:libads: Include system /etc/krb5.conf if we use MIT
> Kerberos
>
> The system /etc/krb5.conf defines some defaults like:
>
> default_ccache_name = KEYRING:persistent:%{uid}
>
> We need to respect that so should include it in our own created
> krb5.conf file.
>
> BUG: https://bugzilla.samba.org/show_bug.cgi?id=12441
>
> Signed-off-by: Andreas Schneider <asn at samba.org>
> ---
> source3/libads/kerberos.c | 25 +++++++++++++++++++------
> 1 file changed, 19 insertions(+), 6 deletions(-)
>
> diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
> index 1203153..6a16fb7 100644
> --- a/source3/libads/kerberos.c
> +++ b/source3/libads/kerberos.c
> @@ -968,6 +968,7 @@ bool create_local_private_krb5_conf_for_domain(const char *realm,
> char *realm_upper = NULL;
> bool result = false;
> char *enctypes = NULL;
> + const char *include_system_krb5 = "";
> mode_t mask;
>
> if (!lp_create_krb5_conf()) {
> @@ -1023,13 +1024,25 @@ bool create_local_private_krb5_conf_for_domain(const char *realm,
> goto done;
> }
>
> +#if !defined(SAMBA4_USES_HEIMDAL)
> + if (lp_include_system_krb5_conf()) {
> + include_system_krb5 = "/etc/krb5.conf";
> + }
> +#endif
> +
> file_contents =
> - talloc_asprintf(fname, "[libdefaults]\n\tdefault_realm = %s\n"
> - "%s"
> - "\tdns_lookup_realm = false\n\n"
> - "[realms]\n\t%s = {\n"
> - "%s\t}\n",
> - realm_upper, enctypes, realm_upper, kdc_ip_string);
> + talloc_asprintf(fname,
> + "[libdefaults]\n\tdefault_realm = %s\n"
> + "%s"
> + "\tdns_lookup_realm = false\n\n"
> + "[realms]\n\t%s = {\n"
> + "%s\t}\n"
> + "%s\n",
> + realm_upper,
> + enctypes,
> + realm_upper,
> + kdc_ip_string,
> + include_system_krb5);
How this is going to include the system config? You missed 'include '
statement.
--
/ Alexander Bokovoy
More information about the samba-technical
mailing list