Add a parameter to disable the automatic creation of krb5.conf files

This is necessary because MIT 1.5 can't deal with certain types (Tree Root) of
transitive AD trusts. The workaround is to add a [capaths] directive to
/etc/krb5.conf, which we don't automatically put into the krb5.conf winbind
creates.

The alternative would have been something like a "krb5 conf include", but I
think if someone has to mess with /etc/krb5.conf at this level, it should be
easy to add the site-local KDCs as well.

Next alternative is to correctly figure out the [capaths] parameter for all
trusted domains, but for that I don't have the time right now. Sorry :-)

3 files changed, 19 insertions, 1 deletions

diff --git a/source3/include/proto.h b/source3/include/proto.h
index 44f6685dac..50ac834307 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -3998,6 +3998,7 @@ bool lp_winbind_refresh_tickets(void);
 bool lp_winbind_offline_logon(void);
 bool lp_winbind_normalize_names(void);
 bool lp_winbind_rpc_only(void);
+bool lp_create_krb5_conf(void);
 const char **lp_idmap_domains(void);
 const char *lp_idmap_backend(void);
 char *lp_idmap_alloc_backend(void);
diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
index e1618636e1..c1e6c4ac38 100644
--- a/source3/libads/kerberos.c
+++ b/source3/libads/kerberos.c
@@ -817,7 +817,7 @@ bool create_local_private_krb5_conf_for_domain(const char *realm,
 						const char *sitename,
 						struct sockaddr_storage *pss)
 {
-	char *dname = lock_path("smb_krb5");
+	char *dname;
 	char *tmpname = NULL;
 	char *fname = NULL;
 	char *file_contents = NULL;
@@ -828,6 +828,11 @@ bool create_local_private_krb5_conf_for_domain(const char *realm,
 	char *realm_upper = NULL;
 	bool result = false;
 
+	if (!lp_create_krb5_conf()) {
+		return false;
+	}
+
+	dname = lock_path("smb_krb5");
 	if (!dname) {
 		return false;
 	}
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 35984716a2..c91f67656b 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -199,6 +199,7 @@ struct global {
 	bool bWinbindOfflineLogon;
 	bool bWinbindNormalizeNames;
 	bool bWinbindRpcOnly;
+	bool bCreateKrb5Conf;
 	char *szIdmapBackend;
 	char *szIdmapAllocBackend;
 	char *szAddShareCommand;
@@ -4588,6 +4589,15 @@ static struct parm_struct parm_table[] = {
 		.enum_list	= NULL,
 		.flags		= FLAG_ADVANCED,
 	},
+	{
+		.label		= "create krb5 conf",
+		.type		= P_BOOL,
+		.p_class	= P_GLOBAL,
+		.ptr		= &Globals.bCreateKrb5Conf,
+		.special	= NULL,
+		.enum_list	= NULL,
+		.flags		= FLAG_ADVANCED,
+	},
 
 	{NULL,  P_BOOL,  P_NONE,  NULL,  NULL,  NULL,  0}
 };
@@ -5005,6 +5015,7 @@ static void init_globals(bool first_time_only)
 #endif
 	Globals.bUnixExtensions = True;
 	Globals.bResetOnZeroVC = False;
+	Globals.bCreateKrb5Conf = true;
 
 	/* hostname lookups can be very expensive and are broken on
 	   a large number of sites (tridge) */
@@ -5359,6 +5370,7 @@ FN_GLOBAL_BOOL(lp_winbind_refresh_tickets, &Globals.bWinbindRefreshTickets)
 FN_GLOBAL_BOOL(lp_winbind_offline_logon, &Globals.bWinbindOfflineLogon)
 FN_GLOBAL_BOOL(lp_winbind_normalize_names, &Globals.bWinbindNormalizeNames)
 FN_GLOBAL_BOOL(lp_winbind_rpc_only, &Globals.bWinbindRpcOnly)
+FN_GLOBAL_BOOL(lp_create_krb5_conf, &Globals.bCreateKrb5Conf)
 
 FN_GLOBAL_CONST_STRING(lp_idmap_backend, &Globals.szIdmapBackend)
 FN_GLOBAL_STRING(lp_idmap_alloc_backend, &Globals.szIdmapAllocBackend)