[PATCH] samba-tool domain provision with MIT KDC

Andrew Bartlett abartlet at samba.org
Wed May 24 00:15:36 UTC 2017


On Tue, 2017-05-23 at 09:06 +0200, Andreas Schneider wrote:
> On Tuesday, 16 May 2017 09:59:48 CEST Andreas Schneider via samba-
> technical 
> wrote:
> > On Monday, 15 May 2017 20:24:49 CEST Andrew Bartlett wrote:
> > > On Mon, 2017-05-15 at 11:19 +0200, Andreas Schneider wrote:
> > > > Hi Andrew,
> > > > 
> > > > here are the patches implementing the provisioning in a cleaner
> > > > way. It
> > > > works on openSUSE, Fedora and Debian.
> > > > 
> > > > 
> > > > Please review and push if OK :-)
> > > 
> > > Thanks!
> > > 
> > > This is much better than the previous approach.  However, I'm a
> > > bit
> > > worried about one thing, that is what should we do if we have to
> > > change
> > > it?
> > > 
> > > This comes from the experience with provision-generated config
> > > files so
> > > far.  For example, we have a bug in our provision script where it
> > > writes in the full list of services if you use DLZ_BIND9, rather
> > > than
> > > just '-dns'.
> > > 
> > > We should fix that, naturally, but what should we do with all the
> > > old
> > > configuration files (particularly when we add a service)?
> > > 
> > > If we write it out to private/ once, we have to live with exactly
> > > that
> > > file forever, as we can't (trivially) know if the administrator
> > > intended to change it, or it was an old config file before our
> > > required
> > > settings changed.
> > > 
> > > This is still an important step forward, but I wanted to put it
> > > in
> > > writing why I favour a tmp file generated just before the
> > > fork()/exec()
> > > of the KDC.
> > 
> > Well, how do you configure PKINIT or Smartcard support then?
> > 
> > 
> > With Heimdal you have to copy the krb5.conf file generated in the
> > private
> > dir. This file is also used by the Heimdal KDC, it doesn't have an
> > extra
> > configuration file.
> > 
> > 
> > For MIT Kerberos you have to do that for the KDC in the kdc.conf
> > file. So
> > for PKINIT and Smartcards you need to be able to modify the file
> > ...
> 
> Friendly ping :-)

I'm not violently opposed, just not a big fan either.  I just fear we
will get into a pickle. 

I'll read it over again and likely push it, as it is an improvement,
but I do hope we can do one step better.

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT   
https://catalyst.net.nz/services/samba







More information about the samba-technical mailing list