[PATCH] samba-tool domain provision with MIT KDC

Andrew Bartlett abartlet at samba.org
Fri May 26 21:05:20 UTC 2017 

On Tue, 2017-05-23 at 09:06 +0200, Andreas Schneider wrote:
> On Tuesday, 16 May 2017 09:59:48 CEST Andreas Schneider via samba-technical 
> wrote:
> > On Monday, 15 May 2017 20:24:49 CEST Andrew Bartlett wrote:
> > > On Mon, 2017-05-15 at 11:19 +0200, Andreas Schneider wrote:
> > > > Hi Andrew,
> > > > 
> > > > here are the patches implementing the provisioning in a cleaner way. It
> > > > works on openSUSE, Fedora and Debian.
> > > > 
> > > > 
> > > > Please review and push if OK :-)
> > > 
> > > Thanks!
> > > 
> > > This is much better than the previous approach.  However, I'm a bit
> > > worried about one thing, that is what should we do if we have to change
> > > it?
> > > 
> > > This comes from the experience with provision-generated config files so
> > > far.  For example, we have a bug in our provision script where it
> > > writes in the full list of services if you use DLZ_BIND9, rather than
> > > just '-dns'.
> > > 
> > > We should fix that, naturally, but what should we do with all the old
> > > configuration files (particularly when we add a service)?
> > > 
> > > If we write it out to private/ once, we have to live with exactly that
> > > file forever, as we can't (trivially) know if the administrator
> > > intended to change it, or it was an old config file before our required
> > > settings changed.
> > > 
> > > This is still an important step forward, but I wanted to put it in
> > > writing why I favour a tmp file generated just before the fork()/exec()
> > > of the KDC.
> > 
> > Well, how do you configure PKINIT or Smartcard support then?
> > 
> > 
> > With Heimdal you have to copy the krb5.conf file generated in the private
> > dir. This file is also used by the Heimdal KDC, it doesn't have an extra
> > configuration file.
> > 
> > 
> > For MIT Kerberos you have to do that for the KDC in the kdc.conf file. So
> > for PKINIT and Smartcards you need to be able to modify the file ...
> 
> Friendly ping :-)

This is now reviewed and in master.

I still think we should do something more dynamic for the kdc.conf,
such as a samba-generated file that includes this file, but that wasn't
enough of a reason to block this.

Thanks for your patience!

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba-technical mailing list