[Samba] Setting up Samba AD-DC on Debian Stretch made easy.

L.P.H. van Belle belle at bazuin.nl
Mon Sep 11 14:56:22 UTC 2017

Hello Marc, 

Thank you for this explanation, very clear now. 
I did see that binddir change also, and that upgrade test where ok sofar. 
I'll keep an eye on the release notes when released. 




> -----Oorspronkelijk bericht-----
> Van: Marc Muehlfeld [mailto:mmuehlfeld at samba.org] 
> Verzonden: maandag 11 september 2017 16:52
> Aan: L.P.H. van Belle; samba at lists.samba.org
> Onderwerp: Re: [Samba] Setting up Samba AD-DC on Debian 
> Stretch made easy.
> Hi Louis,
> Am 11.09.2017 um 15:29 schrieb L.P.H. van Belle via samba:
> > 
> https://wiki.samba.org/index.php/Setting_up_Samba_as_an_Active_Directo
> > ry_Domain_Controller
> > The part Configuring Kerberos. 
> > (  cp /usr/local/samba/private/krb5.conf /etc/krb5.conf )
> > 
> > Which made me think that the /var/lib/samba/private/krb5.conf isnt 
> > used. (anymore) And so /etc/krb5.conf is the default, ... 
> Wrong thinking?
> Nothing ever used the krb5.conf file that was generated in 
> PRIVATE_DIR during the provisioning, except you linked it in /etc/.
> Unfortunately, previously the Wiki suggested to link the 
> file. However, there are good reasons to better copy the 
> generated file to /etc/ or merge the content with an existing 
> /etc/krb5.conf. For example, if Andreas' patch for securing 
> the private directory goes into 4.7 (if not, then 4.8), the 
> private directory gets root:root (700) permissions. This 
> means that no other user, except root, can read this file if 
> /etc/krb5.conf is a link to the private dir. In this case, 
> for example, dynamic DNS update will fail if you use the 
> BIND9_DLZ back end.
> We will highlight this in the RNs and docs if the patch will 
> be part of
> 4.7 (or 4.8). Anyway, already now it's better to copy the 
> file instead of linking it.
> Regards,
> Marc

More information about the samba mailing list