[PATCH] Include system /etc/krb5.conf if we use MIT Kerberos

Andreas Schneider asn at samba.org
Wed Nov 30 15:54:38 UTC 2016 

On Wednesday, 30 November 2016 16:05:24 CET Alexander Bokovoy wrote:
> On ke, 30 marras 2016, Andreas Schneider wrote:
> > On Wednesday, 30 November 2016 15:21:03 CET Alexander Bokovoy wrote:
> > > On ke, 30 marras 2016, Andreas Schneider wrote:
> > > > The system /etc/krb5.conf defines some defaults like:
> > > >     default_ccache_name = KEYRING:persistent:%{uid}
> > > > 
> > > > We need to respect that so should include it in our own created
> > > > krb5.conf file.
> > > > 
> > > > 
> > > > 
> > > > Review and push appreciated.
> > > > 
> > > > 
> > > > Thanks,
> > > > 
> > > > 	Andreas
> > > > 
> > > > From bb8e620ce1cd97d5479440ffc84bc3abc639378d Mon Sep 17 00:00:00 2001
> > > > From: Andreas Schneider <asn at samba.org>
> > > > Date: Wed, 23 Nov 2016 14:39:47 +0100
> > > > Subject: [PATCH 1/2] s3:param: Add an 'include system krb5 conf'
> > > > option
> > > > 
> > > > BUG: https://bugzilla.samba.org/show_bug.cgi?id=12441
> > > > 
> > > > Signed-off-by: Andreas Schneider <asn at samba.org>
> > > > ---
> > > > 
> > > >  docs-xml/smbdotconf/winbind/includesystemkrb5conf.xml | 14
> > > >  ++++++++++++++
> > > >  source3/param/loadparm.c                              |  1 +
> > > >  2 files changed, 15 insertions(+)
> > > >  create mode 100644
> > > >  docs-xml/smbdotconf/winbind/includesystemkrb5conf.xml
> > > > 
> > > > diff --git a/docs-xml/smbdotconf/winbind/includesystemkrb5conf.xml
> > > > b/docs-xml/smbdotconf/winbind/includesystemkrb5conf.xml new file mode
> > > > 100644
> > > > index 0000000..91ac3a0
> > > > --- /dev/null
> > > > +++ b/docs-xml/smbdotconf/winbind/includesystemkrb5conf.xml
> > > > @@ -0,0 +1,14 @@
> > > > +<samba:parameter name="include system krb5 conf"
> > > > +                 context="G"
> > > > +                 type="boolean"
> > > > +                
> > > > xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
> > > > +<description>
> > > > +	<para>
> > > > +		Setting this parameter to <value type="example">no</value> 
will
> > 
> > prevent
> > 
> > > > +		winbind to include the system /etc/krb5.conf file into the
> > 
> > krb5.conf
> > 
> > > > file +		it creates. See also <smbconfoption name="create krb5 
conf"/>.
> > > > +	</para>
> > > 
> > > This does not work for Heimdal, so you should actually say that in the
> > > documentation.
> > 
> > Updated.
> > 
> > > > +
> > > > +</description>
> > > > +<value type="default">yes</value>
> > > > +</samba:parameter>
> > > > diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
> > > > index dc551eb..d8da749 100644
> > > > --- a/source3/param/loadparm.c
> > > > +++ b/source3/param/loadparm.c
> > > > @@ -711,6 +711,7 @@ static void init_globals(struct loadparm_context
> > > > *lp_ctx, bool reinit_globals)>
> > > > 
> > > >  	Globals.reset_on_zero_vc = false;
> > > >  	Globals.log_writeable_files_on_exit = false;
> > > >  	Globals.create_krb5_conf = true;
> > > > 
> > > > +	Globals.include_system_krb5_conf = true;
> > > > 
> > > >  	Globals._winbind_max_domain_connections = 1;
> > > >  	
> > > >  	/* hostname lookups can be very expensive and are broken on
> > > 
> > > How this is going to include the system config? You missed 'include '
> > > statement.
> > 
> > The file contains to patches, scroll down :)
> 
> No, the problem is that your talloc_asprintf() statement has no 'include
> 
> ' phrase, only file name:
> > +#if !defined(SAMBA4_USES_HEIMDAL)
> > +	if (lp_include_system_krb5_conf()) {
> > +		include_system_krb5 = "/etc/krb5.conf";
> > +	}
> > +#endif
> > +
> > 
> >  	file_contents =
> > 
> > -	    talloc_asprintf(fname, "[libdefaults]\n\tdefault_realm = %s\n"
> > -				   "%s"
> > -				   "\tdns_lookup_realm = false\n\n"
> > -				   "[realms]\n\t%s = {\n"
> > -				   "%s\t}\n",
> > -			    realm_upper, enctypes, realm_upper, kdc_ip_string);
> > +	    talloc_asprintf(fname,
> > +			    "[libdefaults]\n\tdefault_realm = %s\n"
> > +			    "%s"
> > +			    "\tdns_lookup_realm = false\n\n"
> > +			    "[realms]\n\t%s = {\n"
> > +			    "%s\t}\n"
> > +			    "%s\n",
> > +			    realm_upper,
> > +			    enctypes,
> > +			    realm_upper,
> > +			    kdc_ip_string,
> > +			    include_system_krb5);
> 
> You have here "%s\n" only, not "include %s\n". Either modify
> include_system_krb5 to be "include /etc/krb5.conf" or do something about
> the template string.

Sorry, forgot to add this. I found an issue in master. Fixing it right now.

-- 
Andreas Schneider                   GPG-ID: CC014E3D
Samba Team                             asn at samba.org
www.samba.org

More information about the samba-technical mailing list