[Samba] Setting up Samba AD-DC on Debian Stretch made easy.

Marc Muehlfeld mmuehlfeld at samba.org
Mon Sep 11 14:51:58 UTC 2017

Hi Louis,

Am 11.09.2017 um 15:29 schrieb L.P.H. van Belle via samba:
> https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directory_Domain_Controller 
> The part Configuring Kerberos. 
> (  cp /usr/local/samba/private/krb5.conf /etc/krb5.conf ) 
> Which made me think that the /var/lib/samba/private/krb5.conf isnt used. (anymore)
> And so /etc/krb5.conf is the default, ... Wrong thinking?  

Nothing ever used the krb5.conf file that was generated in PRIVATE_DIR
during the provisioning, except you linked it in /etc/.

Unfortunately, previously the Wiki suggested to link the file. However,
there are good reasons to better copy the generated file to /etc/ or
merge the content with an existing /etc/krb5.conf. For example, if
Andreas' patch for securing the private directory goes into 4.7 (if not,
then 4.8), the private directory gets root:root (700) permissions. This
means that no other user, except root, can read this file if
/etc/krb5.conf is a link to the private dir. In this case, for example,
dynamic DNS update will fail if you use the BIND9_DLZ back end.

We will highlight this in the RNs and docs if the patch will be part of
4.7 (or 4.8). Anyway, already now it's better to copy the file instead
of linking it.


More information about the samba mailing list