[WHATSNEW] Samba AD with MIT Kerberos + Version change

Rowland Penny rpenny at samba.org
Wed May 3 11:12:06 UTC 2017


On Wed, 03 May 2017 13:00:54 +0200
Andreas Schneider <asn at samba.org> wrote:

> On Wednesday, 3 May 2017 11:40:23 CEST Rowland Penny wrote:
> > On Wed, 3 May 2017 10:20:41 +0100
> > Rowland Penny via samba-technical <samba-technical at lists.samba.org>
> > 
> > wrote:
> > > On Wed, 03 May 2017 09:21:38 +0200
> > > 
> > > Andreas Schneider <asn at samba.org> wrote:
> > > > On Wednesday, 3 May 2017 09:10:10 CEST Rowland Penny via
> > > > 
> > > > samba-technical wrote:
> > > > > On Wed, 03 May 2017 08:30:22 +0200
> > > > > 
> > > > > Andreas Schneider <asn at samba.org> wrote:
> > > > > > On Wednesday, 3 May 2017 07:48:34 CEST Rowland Penny wrote:
> > > > > > > On Tue, 2 May 2017 15:39:06 -0600
> > > > > > > 
> > > > > > > Jeff Sadowski <jeff.sadowski at gmail.com> wrote:
> > > > > > > > The output says to look
> > > > > > > > here /usr/local/samba/private/krb5.conf from the
> > > > > > > > locations you are looking It looks like you might have
> > > > > > > > missed that.
> > > > > > > 
> > > > > > > Nope, that is the standard krb5.conf and I have moved it
> > > > > > > (as I always do) to /etc/krb5.conf, unless I am missing
> > > > > > > something, this is not the kdc.conf
> > > > > > 
> > > > > > samba-tool domain provision --help
> > > > > > 
> > > > > > 
> > > > > > ~snip~
> > > > > > 
> > > > > >   --kdc-config-dir=KDC-CONFIG-DIR
> > > > > >   
> > > > > >                         Set the MIT KDC config directory
> > > > > >                         (default='/var/kerberos/krb5kdc')
> > > > > > 
> > > > > > ~snip~
> > > > > > 
> > > > > > So, by default it creates the file in /var/kerberos/krb5kdc
> > > > > > for me. And that works just fine.
> > > > > > 
> > > > > > However, you're right, specifying a location with the option
> > > > > > --kdc-config-dir= doesn't work. You found a bug :)
> > > > > 
> > > > > Do you mean the one where it being set to
> > > > > 'kdc_default_config_dir = "None"' in
> > > > > kerberos_implementation.py ?
> > > > 
> > > > https://git.samba.org/?p=asn/
> > > > samba.git;a=commitdiff;h=fb4053949e3d4a0c3ab97cc30b5f3bdc53f914ae
> > > > 
> > > > should fix the issue with the default config.
> > > > 
> > > > 
> > > > However python/samba/netcmd/domain.py this reads
> > > > --kdc-config-dir and passes it down to the provision function.
> > > > Somewhere on the way down the stack it is probably lost so that
> > > > the default location is used :(
> > > > 
> > > > 	Andreas
> > > 
> > > OK, I think I have found out why 'kdc.conf' isn't getting
> > > created ;-)
> > > 
> > > in 'kerberos.py' there is this def:
> > > 
> > > def make_kdcconf(realm, domain, kdcconfdir, logdir):
> > > 
> > > if I comment out these lines, it does get created:
> > >     if _glue.is_heimdal_built:
> > >         return
> > > 
> > > Is it possible that something is saying that heimdal is built,
> > > even though it isn't ?
> > > 
> > > I still haven't got anything listening on port 88.
> > > 
> > > Rowland
> > 
> > OK, it looks like you don't actually need the '_glue' part, if you
> > look at samba.provision.__init__py there is this:
> > 
> > is_heimdal_built = _glue.is_heimdal_built
> > 
> > and if you change 'from samba import _glue' to 'from samba import
> > is_heimdal_built' in kerberos.py and then change
> > 
> >     if _glue.is_heimdal_built:
> >         return
> > 
> > To
> > 
> >     if is_heimdal_built:
> >         print "heimdal built"
> >         return
> > 
> > It prints the message and doesn't create kdc.conf
> 
> https://git.samba.org/?p=asn/
> samba.git;a=commitdiff;h=7cce3565c7018c9b354c3bb57e99f1bd05260cce
> 
> Should be the fix for it. 

That is basically what I tried.

> However make sure you do a 'git clean -dfx'
> before you build with MIT Kerberos so that there are no leftovers
> from Heimdal.

OK, I will try this later.

> 
> WARNING: 'git clean -dfx' removes everything from the git repository
> which is not tracked and doesn't belong there.
>  
> > So it looks to me that somewhere in the build process, Heimdal is
> > being set as built even though it has been disabled.
> > 
> > From 'make'
> > 
> > symlink: rpc/dcerpc.py -> python/samba/dcerpc/__init__.py
> >         Selected system MIT krb5 libraries, Heimdal use is disabled
> > symlink: samba-tool -> ./samba-tool
> > 
> > Rowland
> 
> Btw. where is the krb5kdc binary located?

/usr/sbin/krb5kdc

Rowland



More information about the samba-technical mailing list