diff options
| -rw-r--r-- | docs-xml/smbdotconf/winbind/createkrb5conf.xml | 24 | ||||
| -rw-r--r-- | source3/include/proto.h | 1 | ||||
| -rw-r--r-- | source3/libads/kerberos.c | 7 | ||||
| -rw-r--r-- | source3/param/loadparm.c | 12 |
4 files changed, 43 insertions, 1 deletions
diff --git a/docs-xml/smbdotconf/winbind/createkrb5conf.xml b/docs-xml/smbdotconf/winbind/createkrb5conf.xml new file mode 100644 index 0000000000..38818240c3 --- /dev/null +++ b/docs-xml/smbdotconf/winbind/createkrb5conf.xml @@ -0,0 +1,24 @@ +<samba:parameter name="create krb5 conf" + context="G" + type="string" + advanced="1" developer="0" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + + <para> + Setting this paramter to <value type="example">no</value> prevents + winbind from creating custom krb5.conf files. Winbind normally does + this because the krb5 libraries are not AD-site-aware and thus would + pick any domain controller out of potentially very many. Winbind + is site-aware and makes the krb5 libraries use a local DC by + creating its own krb5.conf files. + </para> + <para> + Preventing winbind from doing this might become necessary if you + have to add special options into your system-krb5.conf that winbind + does not see. + </para> + +</description> +<value type="default">yes</value> +</samba:parameter> diff --git a/source3/include/proto.h b/source3/include/proto.h index 44f6685dac..50ac834307 100644 --- a/source3/include/proto.h +++ b/source3/include/proto.h @@ -3998,6 +3998,7 @@ bool lp_winbind_refresh_tickets(void); bool lp_winbind_offline_logon(void); bool lp_winbind_normalize_names(void); bool lp_winbind_rpc_only(void); +bool lp_create_krb5_conf(void); const char **lp_idmap_domains(void); const char *lp_idmap_backend(void); char *lp_idmap_alloc_backend(void); diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c index e1618636e1..c1e6c4ac38 100644 --- a/source3/libads/kerberos.c +++ b/source3/libads/kerberos.c @@ -817,7 +817,7 @@ bool create_local_private_krb5_conf_for_domain(const char *realm, const char *sitename, struct sockaddr_storage *pss) { - char *dname = lock_path("smb_krb5"); + char *dname; char *tmpname = NULL; char *fname = NULL; char *file_contents = NULL; @@ -828,6 +828,11 @@ bool create_local_private_krb5_conf_for_domain(const char *realm, char *realm_upper = NULL; bool result = false; + if (!lp_create_krb5_conf()) { + return false; + } + + dname = lock_path("smb_krb5"); if (!dname) { return false; } diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c index 35984716a2..c91f67656b 100644 --- a/source3/param/loadparm.c +++ b/source3/param/loadparm.c @@ -199,6 +199,7 @@ struct global { bool bWinbindOfflineLogon; bool bWinbindNormalizeNames; bool bWinbindRpcOnly; + bool bCreateKrb5Conf; char *szIdmapBackend; char *szIdmapAllocBackend; char *szAddShareCommand; @@ -4588,6 +4589,15 @@ static struct parm_struct parm_table[] = { .enum_list = NULL, .flags = FLAG_ADVANCED, }, + { + .label = "create krb5 conf", + .type = P_BOOL, + .p_class = P_GLOBAL, + .ptr = &Globals.bCreateKrb5Conf, + .special = NULL, + .enum_list = NULL, + .flags = FLAG_ADVANCED, + }, {NULL, P_BOOL, P_NONE, NULL, NULL, NULL, 0} }; @@ -5005,6 +5015,7 @@ static void init_globals(bool first_time_only) #endif Globals.bUnixExtensions = True; Globals.bResetOnZeroVC = False; + Globals.bCreateKrb5Conf = true; /* hostname lookups can be very expensive and are broken on a large number of sites (tridge) */ @@ -5359,6 +5370,7 @@ FN_GLOBAL_BOOL(lp_winbind_refresh_tickets, &Globals.bWinbindRefreshTickets) FN_GLOBAL_BOOL(lp_winbind_offline_logon, &Globals.bWinbindOfflineLogon) FN_GLOBAL_BOOL(lp_winbind_normalize_names, &Globals.bWinbindNormalizeNames) FN_GLOBAL_BOOL(lp_winbind_rpc_only, &Globals.bWinbindRpcOnly) +FN_GLOBAL_BOOL(lp_create_krb5_conf, &Globals.bCreateKrb5Conf) FN_GLOBAL_CONST_STRING(lp_idmap_backend, &Globals.szIdmapBackend) FN_GLOBAL_STRING(lp_idmap_alloc_backend, &Globals.szIdmapAllocBackend) |