[PATCH] samba-tool domain provision with MIT KDC

Andreas Schneider asn at samba.org
Tue May 16 07:59:48 UTC 2017

On Monday, 15 May 2017 20:24:49 CEST Andrew Bartlett wrote:
> On Mon, 2017-05-15 at 11:19 +0200, Andreas Schneider wrote:
> > Hi Andrew,
> > 
> > here are the patches implementing the provisioning in a cleaner way. It
> > works on openSUSE, Fedora and Debian.
> > 
> > 
> > Please review and push if OK :-)
> Thanks!
> This is much better than the previous approach.  However, I'm a bit
> worried about one thing, that is what should we do if we have to change
> it?
> This comes from the experience with provision-generated config files so
> far.  For example, we have a bug in our provision script where it
> writes in the full list of services if you use DLZ_BIND9, rather than
> just '-dns'.
> We should fix that, naturally, but what should we do with all the old
> configuration files (particularly when we add a service)?
> If we write it out to private/ once, we have to live with exactly that
> file forever, as we can't (trivially) know if the administrator
> intended to change it, or it was an old config file before our required
> settings changed.
> This is still an important step forward, but I wanted to put it in
> writing why I favour a tmp file generated just before the fork()/exec()
> of the KDC.

Well, how do you configure PKINIT or Smartcard support then?

With Heimdal you have to copy the krb5.conf file generated in the private dir. 
This file is also used by the Heimdal KDC, it doesn't have an extra 
configuration file.

For MIT Kerberos you have to do that for the KDC in the kdc.conf file. So for 
PKINIT and Smartcards you need to be able to modify the file ...


Andreas Schneider                   GPG-ID: CC014E3D
Samba Team                             asn at samba.org

More information about the samba-technical mailing list