Marc Muehlfeld
2016-Dec-29 22:21 UTC
[Samba] Connections to Samba fail when "includedir" is set in krb5.conf (e. g. after RHEL 7.2 to 7.3 update)
Am 29.12.2016 um 22:17 schrieb Rowland Penny via samba:> Hi Marc, that is your problem there and it has highlighted another > problem, the Samba wiki page: > > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member > > Doesn't have anything about krb5.conf > > You should run the same /etc/krb5.conf as on a DC, ...You can set up a domain member without configuring Kerberos in krb5.conf. That's what is currently described on the Wiki page and the procedure works. However, in this case you're not able to use Kerberos stuff, such as kinit. I add a new section to the page tomorrow describing the Kerberos configuration on the domain member.>> Here is the bug report: >> https://bugzilla.samba.org/show_bug.cgi?id=12488 > > Why are you logging a Samba bug for what seems to be a > configuration error ?Samba domain members work without configuring krb5.conf, and in this case, user may have not touched their krb5.conf file, but Samba reads this file. Also a lot of distributions ship MIT Kerberos which supports including config snippets. That's why I think Samba needs to be patched: If "includedir" is not supported in Heimdal, we should ignore such unknown options instead of starting the services and fail serving without any helpful error message (nothing is logged on level < 3 and on>=3 a message is logged, that tells nothing about the problem: Anunknown parameter in krb5.conf). Regards, Marc
Rowland Penny
2016-Dec-29 22:29 UTC
[Samba] Connections to Samba fail when "includedir" is set in krb5.conf (e. g. after RHEL 7.2 to 7.3 update)
On Thu, 29 Dec 2016 23:21:23 +0100 Marc Muehlfeld <mmuehlfeld at samba.org> wrote:> Am 29.12.2016 um 22:17 schrieb Rowland Penny via samba: > > Hi Marc, that is your problem there and it has highlighted another > > problem, the Samba wiki page: > > > > https://wiki.samba.org/index.php/Setting_up_Samba_as_a_Domain_Member > > > > Doesn't have anything about krb5.conf > > > > You should run the same /etc/krb5.conf as on a DC, ... > > You can set up a domain member without configuring Kerberos in > krb5.conf. That's what is currently described on the Wiki page and the > procedure works. However, in this case you're not able to use Kerberos > stuff, such as kinit.No you cannot, a lot of problems are caused by mis-configured /etc/krb5.conf files, as you have found out yourself.> > I add a new section to the page tomorrow describing the Kerberos > configuration on the domain member.Don't bother, I have already done it. Rowland
Marc Muehlfeld
2016-Dec-29 23:44 UTC
[Samba] Connections to Samba fail when "includedir" is set in krb5.conf (e. g. after RHEL 7.2 to 7.3 update)
Am 29.12.2016 um 23:29 schrieb Rowland Penny via samba:>> You can set up a domain member without configuring Kerberos in >> krb5.conf. That's what is currently described on the Wiki page and the >> procedure works. However, in this case you're not able to use Kerberos >> stuff, such as kinit. > > No you cannot, a lot of problems are caused by > mis-configured /etc/krb5.conf files, as you have found out yourself.Sure, you can. I ran several domain members in production in the past without touching the default krb5.conf and never had any kind of problems. What problems are you talking about exactly? Can you please give some examples what problems user will encounter if they don't configure krb5.conf and use the defaults?>> I add a new section to the page tomorrow describing the Kerberos >> configuration on the domain member. > > Don't bother, I have already done it.Can you add some more details? I think is helps the reader to tell why to do things. For example what you achieve by setting this up and what problems you get if you use the default krb5.conf. Regards, Marc
Seemingly Similar Threads
- Connections to Samba fail when "includedir" is set in krb5.conf (e. g. after RHEL 7.2 to 7.3 update)
- Connections to Samba fail when "includedir" is set in krb5.conf (e. g. after RHEL 7.2 to 7.3 update)
- Connections to Samba fail when "includedir" is set in krb5.conf (e. g. after RHEL 7.2 to 7.3 update)
- Samba AD - "No logon servers available"
- resolv.conf setup and DNS issue