[PATCH] Include system /etc/krb5.conf if we use MIT Kerberos

Alexander Bokovoy ab at samba.org
Wed Nov 30 13:21:03 UTC 2016


On ke, 30 marras 2016, Andreas Schneider wrote:
> The system /etc/krb5.conf defines some defaults like:
> 
>     default_ccache_name = KEYRING:persistent:%{uid}
> 
> We need to respect that so should include it in our own created
> krb5.conf file.
> 
> 
> 
> Review and push appreciated.
> 
> 
> Thanks,
> 
> 
> 	Andreas
> 
> -- 
> Andreas Schneider                   GPG-ID: CC014E3D
> Samba Team                             asn at samba.org
> www.samba.org

> From bb8e620ce1cd97d5479440ffc84bc3abc639378d Mon Sep 17 00:00:00 2001
> From: Andreas Schneider <asn at samba.org>
> Date: Wed, 23 Nov 2016 14:39:47 +0100
> Subject: [PATCH 1/2] s3:param: Add an 'include system krb5 conf' option
> 
> BUG: https://bugzilla.samba.org/show_bug.cgi?id=12441
> 
> Signed-off-by: Andreas Schneider <asn at samba.org>
> ---
>  docs-xml/smbdotconf/winbind/includesystemkrb5conf.xml | 14 ++++++++++++++
>  source3/param/loadparm.c                              |  1 +
>  2 files changed, 15 insertions(+)
>  create mode 100644 docs-xml/smbdotconf/winbind/includesystemkrb5conf.xml
> 
> diff --git a/docs-xml/smbdotconf/winbind/includesystemkrb5conf.xml b/docs-xml/smbdotconf/winbind/includesystemkrb5conf.xml
> new file mode 100644
> index 0000000..91ac3a0
> --- /dev/null
> +++ b/docs-xml/smbdotconf/winbind/includesystemkrb5conf.xml
> @@ -0,0 +1,14 @@
> +<samba:parameter name="include system krb5 conf"
> +                 context="G"
> +                 type="boolean"
> +                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
> +<description>
> +	<para>
> +		Setting this parameter to <value type="example">no</value> will prevent
> +		winbind to include the system /etc/krb5.conf file into the krb5.conf file
> +		it creates. See also <smbconfoption name="create krb5 conf"/>.
> +	</para>

This does not work for Heimdal, so you should actually say that in the
documentation.

> +
> +</description>
> +<value type="default">yes</value>
> +</samba:parameter>
> diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
> index dc551eb..d8da749 100644
> --- a/source3/param/loadparm.c
> +++ b/source3/param/loadparm.c
> @@ -711,6 +711,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
>  	Globals.reset_on_zero_vc = false;
>  	Globals.log_writeable_files_on_exit = false;
>  	Globals.create_krb5_conf = true;
> +	Globals.include_system_krb5_conf = true;
>  	Globals._winbind_max_domain_connections = 1;
>  
>  	/* hostname lookups can be very expensive and are broken on
> -- 
> 2.10.2
> 
> 
> From 4a3831a761625238ecda478e58a5890dcbe1c604 Mon Sep 17 00:00:00 2001
> From: Andreas Schneider <asn at samba.org>
> Date: Wed, 23 Nov 2016 14:40:42 +0100
> Subject: [PATCH 2/2] s3:libads: Include system /etc/krb5.conf if we use MIT
>  Kerberos
> 
> The system /etc/krb5.conf defines some defaults like:
> 
>     default_ccache_name = KEYRING:persistent:%{uid}
> 
> We need to respect that so should include it in our own created
> krb5.conf file.
> 
> BUG: https://bugzilla.samba.org/show_bug.cgi?id=12441
> 
> Signed-off-by: Andreas Schneider <asn at samba.org>
> ---
>  source3/libads/kerberos.c | 25 +++++++++++++++++++------
>  1 file changed, 19 insertions(+), 6 deletions(-)
> 
> diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
> index 1203153..6a16fb7 100644
> --- a/source3/libads/kerberos.c
> +++ b/source3/libads/kerberos.c
> @@ -968,6 +968,7 @@ bool create_local_private_krb5_conf_for_domain(const char *realm,
>  	char *realm_upper = NULL;
>  	bool result = false;
>  	char *enctypes = NULL;
> +	const char *include_system_krb5 = "";
>  	mode_t mask;
>  
>  	if (!lp_create_krb5_conf()) {
> @@ -1023,13 +1024,25 @@ bool create_local_private_krb5_conf_for_domain(const char *realm,
>  		goto done;
>  	}
>  
> +#if !defined(SAMBA4_USES_HEIMDAL)
> +	if (lp_include_system_krb5_conf()) {
> +		include_system_krb5 = "/etc/krb5.conf";
> +	}
> +#endif
> +
>  	file_contents =
> -	    talloc_asprintf(fname, "[libdefaults]\n\tdefault_realm = %s\n"
> -				   "%s"
> -				   "\tdns_lookup_realm = false\n\n"
> -				   "[realms]\n\t%s = {\n"
> -				   "%s\t}\n",
> -			    realm_upper, enctypes, realm_upper, kdc_ip_string);
> +	    talloc_asprintf(fname,
> +			    "[libdefaults]\n\tdefault_realm = %s\n"
> +			    "%s"
> +			    "\tdns_lookup_realm = false\n\n"
> +			    "[realms]\n\t%s = {\n"
> +			    "%s\t}\n"
> +			    "%s\n",
> +			    realm_upper,
> +			    enctypes,
> +			    realm_upper,
> +			    kdc_ip_string,
> +			    include_system_krb5);
How this is going to include the system config? You missed 'include '
statement.


-- 
/ Alexander Bokovoy



More information about the samba-technical mailing list