[Samba] Connections to Samba fail when "includedir" is set in krb5.conf (e. g. after RHEL 7.2 to 7.3 update)

Marc Muehlfeld mmuehlfeld at samba.org
Thu Dec 29 22:21:23 UTC 2016

Am 29.12.2016 um 22:17 schrieb Rowland Penny via samba:
> Hi Marc, that is your problem there and it has highlighted another
> problem, the Samba wiki page:
> https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member
> Doesn't have anything about krb5.conf
> You should run the same /etc/krb5.conf as on a DC, ...

You can set up a domain member without configuring Kerberos in
krb5.conf. That's what is currently described on the Wiki page and the
procedure works. However, in this case you're not able to use Kerberos
stuff, such as kinit.

I add a new section to the page tomorrow describing the Kerberos
configuration on the domain member.

>> Here is the bug report:
>> https://bugzilla.samba.org/show_bug.cgi?id=12488
> Why are you logging a Samba bug for what seems to be a
> configuration error ?

Samba domain members work without configuring krb5.conf, and in this
case, user may have not touched their krb5.conf file, but Samba reads
this file. Also a lot of distributions ship MIT Kerberos which supports
including config snippets. That's why I think Samba needs to be patched:
If "includedir" is not supported in Heimdal, we should ignore such
unknown options instead of starting the services and fail serving
without any helpful error message (nothing is logged on level < 3 and on
>=3 a message is logged, that tells nothing about the problem: An
unknown parameter in krb5.conf).


More information about the samba mailing list