[WHATSNEW] Samba AD with MIT Kerberos + Version change

Rowland Penny rpenny at samba.org
Wed May 3 09:40:23 UTC 2017


On Wed, 3 May 2017 10:20:41 +0100
Rowland Penny via samba-technical <samba-technical at lists.samba.org>
wrote:

> On Wed, 03 May 2017 09:21:38 +0200
> Andreas Schneider <asn at samba.org> wrote:
> 
> > On Wednesday, 3 May 2017 09:10:10 CEST Rowland Penny via
> > samba-technical wrote:
> > > On Wed, 03 May 2017 08:30:22 +0200
> > > 
> > > Andreas Schneider <asn at samba.org> wrote:
> > > > On Wednesday, 3 May 2017 07:48:34 CEST Rowland Penny wrote:
> > > > > On Tue, 2 May 2017 15:39:06 -0600
> > > > > 
> > > > > Jeff Sadowski <jeff.sadowski at gmail.com> wrote:
> > > > > > The output says to look
> > > > > > here /usr/local/samba/private/krb5.conf from the locations
> > > > > > you are looking It looks like you might have missed that.
> > > > > 
> > > > > Nope, that is the standard krb5.conf and I have moved it (as I
> > > > > always do) to /etc/krb5.conf, unless I am missing something,
> > > > > this is not the kdc.conf
> > > > 
> > > > samba-tool domain provision --help
> > > > 
> > > > 
> > > > ~snip~
> > > > 
> > > >   --kdc-config-dir=KDC-CONFIG-DIR
> > > >   
> > > >                         Set the MIT KDC config directory
> > > >                         (default='/var/kerberos/krb5kdc')
> > > > 
> > > > ~snip~
> > > > 
> > > > So, by default it creates the file in /var/kerberos/krb5kdc for
> > > > me. And that works just fine.
> > > > 
> > > > However, you're right, specifying a location with the option
> > > > --kdc-config-dir= doesn't work. You found a bug :)
> > > 
> > > Do you mean the one where it being set to 'kdc_default_config_dir
> > > = "None"' in kerberos_implementation.py ?
> > 
> > https://git.samba.org/?p=asn/
> > samba.git;a=commitdiff;h=fb4053949e3d4a0c3ab97cc30b5f3bdc53f914ae
> > 
> > should fix the issue with the default config.
> > 
> > 
> > However python/samba/netcmd/domain.py this reads --kdc-config-dir
> > and passes it down to the provision function. Somewhere on the way
> > down the stack it is probably lost so that the default location is
> > used :(
> > 
> > 
> > 	Andreas
> 
> OK, I think I have found out why 'kdc.conf' isn't getting created ;-)
> 
> in 'kerberos.py' there is this def:
> 
> def make_kdcconf(realm, domain, kdcconfdir, logdir):
> 
> if I comment out these lines, it does get created:
> 
>     if _glue.is_heimdal_built:
>         return
> 
> Is it possible that something is saying that heimdal is built, even
> though it isn't ?
> 
> I still haven't got anything listening on port 88.
> 
> Rowland
> 

OK, it looks like you don't actually need the '_glue' part, if you look
at samba.provision.__init__py there is this:

is_heimdal_built = _glue.is_heimdal_built

and if you change 'from samba import _glue' to 'from samba import
is_heimdal_built' in kerberos.py and then change

    if _glue.is_heimdal_built:
        return

To

    if is_heimdal_built:
        print "heimdal built"
        return

It prints the message and doesn't create kdc.conf

So it looks to me that somewhere in the build process, Heimdal is being
set as built even though it has been disabled.

From 'make'

symlink: rpc/dcerpc.py -> python/samba/dcerpc/__init__.py
        Selected system MIT krb5 libraries, Heimdal use is disabled
symlink: samba-tool -> ./samba-tool

Rowland



More information about the samba-technical mailing list