summaryrefslogtreecommitdiff
path: root/docs-xml/smbdotconf/winbind
diff options
context:
space:
mode:
authorVolker Lendecke <vl@samba.org>2009-08-26 14:56:41 +0200
committerVolker Lendecke <vl@samba.org>2009-08-26 15:28:06 +0200
commitb824b1b7bf19b4b8c64b7c2c5a6a1d3287820088 (patch)
treed82e327e9134f2bbac5e3f4881be3906f9fe74be /docs-xml/smbdotconf/winbind
parentda99e3a724b493ba47a06d0704b891819ad16647 (diff)
downloadsamba-b824b1b7bf19b4b8c64b7c2c5a6a1d3287820088.tar.gz
samba-b824b1b7bf19b4b8c64b7c2c5a6a1d3287820088.tar.bz2
samba-b824b1b7bf19b4b8c64b7c2c5a6a1d3287820088.zip
Add a parameter to disable the automatic creation of krb5.conf files
This is necessary because MIT 1.5 can't deal with certain types (Tree Root) of transitive AD trusts. The workaround is to add a [capaths] directive to /etc/krb5.conf, which we don't automatically put into the krb5.conf winbind creates. The alternative would have been something like a "krb5 conf include", but I think if someone has to mess with /etc/krb5.conf at this level, it should be easy to add the site-local KDCs as well. Next alternative is to correctly figure out the [capaths] parameter for all trusted domains, but for that I don't have the time right now. Sorry :-)
Diffstat (limited to 'docs-xml/smbdotconf/winbind')
-rw-r--r--docs-xml/smbdotconf/winbind/createkrb5conf.xml24
1 files changed, 24 insertions, 0 deletions
diff --git a/docs-xml/smbdotconf/winbind/createkrb5conf.xml b/docs-xml/smbdotconf/winbind/createkrb5conf.xml
new file mode 100644
index 0000000000..38818240c3
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/createkrb5conf.xml
@@ -0,0 +1,24 @@
+<samba:parameter name="create krb5 conf"
+ context="G"
+ type="string"
+ advanced="1" developer="0"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+
+ <para>
+ Setting this paramter to <value type="example">no</value> prevents
+ winbind from creating custom krb5.conf files. Winbind normally does
+ this because the krb5 libraries are not AD-site-aware and thus would
+ pick any domain controller out of potentially very many. Winbind
+ is site-aware and makes the krb5 libraries use a local DC by
+ creating its own krb5.conf files.
+ </para>
+ <para>
+ Preventing winbind from doing this might become necessary if you
+ have to add special options into your system-krb5.conf that winbind
+ does not see.
+ </para>
+
+</description>
+<value type="default">yes</value>
+</samba:parameter>