[PATCH] samba-tool domain provision with MIT KDC
Andreas Schneider
asn at samba.org
Tue May 23 07:06:36 UTC 2017
On Tuesday, 16 May 2017 09:59:48 CEST Andreas Schneider via samba-technical
wrote:
> On Monday, 15 May 2017 20:24:49 CEST Andrew Bartlett wrote:
> > On Mon, 2017-05-15 at 11:19 +0200, Andreas Schneider wrote:
> > > Hi Andrew,
> > >
> > > here are the patches implementing the provisioning in a cleaner way. It
> > > works on openSUSE, Fedora and Debian.
> > >
> > >
> > > Please review and push if OK :-)
> >
> > Thanks!
> >
> > This is much better than the previous approach. However, I'm a bit
> > worried about one thing, that is what should we do if we have to change
> > it?
> >
> > This comes from the experience with provision-generated config files so
> > far. For example, we have a bug in our provision script where it
> > writes in the full list of services if you use DLZ_BIND9, rather than
> > just '-dns'.
> >
> > We should fix that, naturally, but what should we do with all the old
> > configuration files (particularly when we add a service)?
> >
> > If we write it out to private/ once, we have to live with exactly that
> > file forever, as we can't (trivially) know if the administrator
> > intended to change it, or it was an old config file before our required
> > settings changed.
> >
> > This is still an important step forward, but I wanted to put it in
> > writing why I favour a tmp file generated just before the fork()/exec()
> > of the KDC.
>
> Well, how do you configure PKINIT or Smartcard support then?
>
>
> With Heimdal you have to copy the krb5.conf file generated in the private
> dir. This file is also used by the Heimdal KDC, it doesn't have an extra
> configuration file.
>
>
> For MIT Kerberos you have to do that for the KDC in the kdc.conf file. So
> for PKINIT and Smartcards you need to be able to modify the file ...
Friendly ping :-)
--
Andreas Schneider GPG-ID: CC014E3D
Samba Team asn at samba.org
www.samba.org
More information about the samba-technical
mailing list