[Samba] Setting up Samba AD-DC on Debian Stretch made easy.
L.P.H. van Belle
belle at bazuin.nl
Mon Sep 11 14:56:22 UTC 2017
Thank you for this explanation, very clear now.
I did see that binddir change also, and that upgrade test where ok sofar.
I'll keep an eye on the release notes when released.
> -----Oorspronkelijk bericht-----
> Van: Marc Muehlfeld [mailto:mmuehlfeld at samba.org]
> Verzonden: maandag 11 september 2017 16:52
> Aan: L.P.H. van Belle; samba at lists.samba.org
> Onderwerp: Re: [Samba] Setting up Samba AD-DC on Debian
> Stretch made easy.
> Hi Louis,
> Am 11.09.2017 um 15:29 schrieb L.P.H. van Belle via samba:
> > ry_Domain_Controller
> > The part Configuring Kerberos.
> > ( cp /usr/local/samba/private/krb5.conf /etc/krb5.conf )
> > Which made me think that the /var/lib/samba/private/krb5.conf isnt
> > used. (anymore) And so /etc/krb5.conf is the default, ...
> Wrong thinking?
> Nothing ever used the krb5.conf file that was generated in
> PRIVATE_DIR during the provisioning, except you linked it in /etc/.
> Unfortunately, previously the Wiki suggested to link the
> file. However, there are good reasons to better copy the
> generated file to /etc/ or merge the content with an existing
> /etc/krb5.conf. For example, if Andreas' patch for securing
> the private directory goes into 4.7 (if not, then 4.8), the
> private directory gets root:root (700) permissions. This
> means that no other user, except root, can read this file if
> /etc/krb5.conf is a link to the private dir. In this case,
> for example, dynamic DNS update will fail if you use the
> BIND9_DLZ back end.
> We will highlight this in the RNs and docs if the patch will
> be part of
> 4.7 (or 4.8). Anyway, already now it's better to copy the
> file instead of linking it.
More information about the samba