From b824b1b7bf19b4b8c64b7c2c5a6a1d3287820088 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl@samba.org>
Date: Wed, 26 Aug 2009 14:56:41 +0200
Subject: Add a parameter to disable the automatic creation of krb5.conf files

This is necessary because MIT 1.5 can't deal with certain types (Tree Root) of
transitive AD trusts. The workaround is to add a [capaths] directive to
/etc/krb5.conf, which we don't automatically put into the krb5.conf winbind
creates.

The alternative would have been something like a "krb5 conf include", but I
think if someone has to mess with /etc/krb5.conf at this level, it should be
easy to add the site-local KDCs as well.

Next alternative is to correctly figure out the [capaths] parameter for all
trusted domains, but for that I don't have the time right now. Sorry :-)
---
 source3/libads/kerberos.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

(limited to 'source3/libads')

diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
index e1618636e1..c1e6c4ac38 100644
--- a/source3/libads/kerberos.c
+++ b/source3/libads/kerberos.c
@@ -817,7 +817,7 @@ bool create_local_private_krb5_conf_for_domain(const char *realm,
 						const char *sitename,
 						struct sockaddr_storage *pss)
 {
-	char *dname = lock_path("smb_krb5");
+	char *dname;
 	char *tmpname = NULL;
 	char *fname = NULL;
 	char *file_contents = NULL;
@@ -828,6 +828,11 @@ bool create_local_private_krb5_conf_for_domain(const char *realm,
 	char *realm_upper = NULL;
 	bool result = false;
 
+	if (!lp_create_krb5_conf()) {
+		return false;
+	}
+
+	dname = lock_path("smb_krb5");
 	if (!dname) {
 		return false;
 	}
-- 
cgit