From a744fc01174aabe29c9c97b81e932d388953456d Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Sun, 27 Oct 2019 13:27:03 +0200 Subject: [PATCH] Correct generated krb5.conf file to actually find own realm --- ...ool-create-working-private-krb5.conf.patch | 42 +++++++++++++++++++ samba.spec | 1 + 2 files changed, 43 insertions(+) create mode 100644 0002-samba-tool-create-working-private-krb5.conf.patch diff --git a/0002-samba-tool-create-working-private-krb5.conf.patch b/0002-samba-tool-create-working-private-krb5.conf.patch new file mode 100644 index 0000000..643d367 --- /dev/null +++ b/0002-samba-tool-create-working-private-krb5.conf.patch @@ -0,0 +1,42 @@ +From 5a084994144704a6c146b94f8a22cf57ce08deab Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Mon, 7 Oct 2019 18:24:28 +0300 +Subject: [PATCH] samba-tool: create working private krb5.conf + +DNS update tool uses private krb5.conf which should have enough details +to authenticate with GSS-TSIG when running nsupdate. + +Unfortunately, the configuration we provide is not enough. We set +defaults to not lookup REALM via DNS but at the same time we don't +provide any realm definition. As result, MIT Kerberos cannot actually +find a working realm for Samba AD deployment because it cannot query DNS +for a realm discovery or pick it up from the configuration. + +Extend private krb5.conf with a realm definition that will allow MIT +Kerberos to look up KDC over DNS. + +Signed-off-by: Alexander Bokovoy +Reviewed-by: Andreas Schneider +--- + source4/setup/krb5.conf | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/source4/setup/krb5.conf b/source4/setup/krb5.conf +index b1bf6cf907d..ad6f2818fb5 100644 +--- a/source4/setup/krb5.conf ++++ b/source4/setup/krb5.conf +@@ -2,3 +2,11 @@ + default_realm = ${REALM} + dns_lookup_realm = false + dns_lookup_kdc = true ++ ++[realms] ++${REALM} = { ++ default_domain = ${DNSDOMAIN} ++} ++ ++[domain_realm] ++ ${HOSTNAME} = ${REALM} +-- +2.21.0 + diff --git a/samba.spec b/samba.spec index 46a586b..5d8bacc 100644 --- a/samba.spec +++ b/samba.spec @@ -121,6 +121,7 @@ Source201: README.downgrade Patch0: pidl.patch Patch100: 0000-use-gnutls-for-des-cbc.patch Patch101: 0001-handle-removal-des-enctypes-from-krb5.patch +Patch102: 0002-samba-tool-create-working-private-krb5.conf.patch Requires(pre): /usr/sbin/groupadd Requires(post): systemd