Add a parameter to disable the automatic creation of krb5.conf files

This is necessary because MIT 1.5 can't deal with certain types (Tree Root) of
transitive AD trusts. The workaround is to add a [capaths] directive to
/etc/krb5.conf, which we don't automatically put into the krb5.conf winbind
creates.

The alternative would have been something like a "krb5 conf include", but I
think if someone has to mess with /etc/krb5.conf at this level, it should be
easy to add the site-local KDCs as well.

Next alternative is to correctly figure out the [capaths] parameter for all
trusted domains, but for that I don't have the time right now. Sorry :-)

diff --git a/docs-xml/smbdotconf/winbind/createkrb5conf.xml b/docs-xml/smbdotconf/winbind/createkrb5conf.xml
new file mode 100644 (file)
index 0000000..3881824
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/createkrb5conf.xml
@@ -0,0 +1,24 @@
+<samba:parameter name="create krb5 conf"
+       context="G"
+       type="string"
+                advanced="1" developer="0"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+
+       <para>
+       Setting this paramter to <value type="example">no</value> prevents
+       winbind from creating custom krb5.conf files. Winbind normally does
+       this because the krb5 libraries are not AD-site-aware and thus would
+       pick any domain controller out of potentially very many. Winbind
+       is site-aware and makes the krb5 libraries use a local DC by
+       creating its own krb5.conf files.
+       </para>
+       <para>
+       Preventing winbind from doing this might become necessary if you
+       have to add special options into your system-krb5.conf that winbind
+       does not see.
+       </para>
+
+</description>
+<value type="default">yes</value>
+</samba:parameter>

diff --git a/source3/include/proto.h b/source3/include/proto.h
index 44f6685dacbb2f5a96f35ce3d335557834b035cc..50ac834307a5a26b9e33461163324c600e8f548b 100644 (file)
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -3998,6 +3998,7 @@ bool lp_winbind_refresh_tickets(void);
 bool lp_winbind_offline_logon(void);
 bool lp_winbind_normalize_names(void);
 bool lp_winbind_rpc_only(void);
+bool lp_create_krb5_conf(void);
 const char **lp_idmap_domains(void);
 const char *lp_idmap_backend(void);
 char *lp_idmap_alloc_backend(void);

diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
index e1618636e1d7848990dbfab2a6095f756b51dc18..c1e6c4ac38f6736c97f5222b71fadafaa9df9195 100644 (file)
--- a/source3/libads/kerberos.c
+++ b/source3/libads/kerberos.c
@@ -817,7 +817,7 @@ bool create_local_private_krb5_conf_for_domain(const char *realm,
                                                const char *sitename,
                                                struct sockaddr_storage *pss)
 {
-       char *dname = lock_path("smb_krb5");
+       char *dname;
        char *tmpname = NULL;
        char *fname = NULL;
        char *file_contents = NULL;
@@ -828,6 +828,11 @@ bool create_local_private_krb5_conf_for_domain(const char *realm,
        char *realm_upper = NULL;
        bool result = false;
 
+       if (!lp_create_krb5_conf()) {
+               return false;
+       }
+
+       dname = lock_path("smb_krb5");
        if (!dname) {
                return false;
        }

diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 35984716a26f8c3840e416246415f89e08dd37a5..c91f67656baa4d32e1c421124ffaa4f62d040b6e 100644 (file)
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -199,6 +199,7 @@ struct global {
        bool bWinbindOfflineLogon;
        bool bWinbindNormalizeNames;
        bool bWinbindRpcOnly;
+       bool bCreateKrb5Conf;
        char *szIdmapBackend;
        char *szIdmapAllocBackend;
        char *szAddShareCommand;
@@ -4588,6 +4589,15 @@ static struct parm_struct parm_table[] = {
                .enum_list      = NULL,
                .flags          = FLAG_ADVANCED,
        },
+       {
+               .label          = "create krb5 conf",
+               .type           = P_BOOL,
+               .p_class        = P_GLOBAL,
+               .ptr            = &Globals.bCreateKrb5Conf,
+               .special        = NULL,
+               .enum_list      = NULL,
+               .flags          = FLAG_ADVANCED,
+       },
 
        {NULL,  P_BOOL,  P_NONE,  NULL,  NULL,  NULL,  0}
 };
@@ -5005,6 +5015,7 @@ static void init_globals(bool first_time_only)
 #endif
        Globals.bUnixExtensions = True;
        Globals.bResetOnZeroVC = False;
+       Globals.bCreateKrb5Conf = true;
 
        /* hostname lookups can be very expensive and are broken on
           a large number of sites (tridge) */
@@ -5359,6 +5370,7 @@ FN_GLOBAL_BOOL(lp_winbind_refresh_tickets, &Globals.bWinbindRefreshTickets)
 FN_GLOBAL_BOOL(lp_winbind_offline_logon, &Globals.bWinbindOfflineLogon)
 FN_GLOBAL_BOOL(lp_winbind_normalize_names, &Globals.bWinbindNormalizeNames)
 FN_GLOBAL_BOOL(lp_winbind_rpc_only, &Globals.bWinbindRpcOnly)
+FN_GLOBAL_BOOL(lp_create_krb5_conf, &Globals.bCreateKrb5Conf)
 
 FN_GLOBAL_CONST_STRING(lp_idmap_backend, &Globals.szIdmapBackend)
 FN_GLOBAL_STRING(lp_idmap_alloc_backend, &Globals.szIdmapAllocBackend)