43 lines
1.3 KiB
Diff
43 lines
1.3 KiB
Diff
|
From 5a084994144704a6c146b94f8a22cf57ce08deab Mon Sep 17 00:00:00 2001
|
||
|
|
From: Alexander Bokovoy <ab@samba.org>
|
||
|
|
Date: Mon, 7 Oct 2019 18:24:28 +0300
|
||
|
|
Subject: [PATCH] samba-tool: create working private krb5.conf
|
||
|
|
|
||
|
|
DNS update tool uses private krb5.conf which should have enough details
|
||
|
|
to authenticate with GSS-TSIG when running nsupdate.
|
||
|
|
|
||
|
|
Unfortunately, the configuration we provide is not enough. We set
|
||
|
|
defaults to not lookup REALM via DNS but at the same time we don't
|
||
|
|
provide any realm definition. As result, MIT Kerberos cannot actually
|
||
|
|
find a working realm for Samba AD deployment because it cannot query DNS
|
||
|
|
for a realm discovery or pick it up from the configuration.
|
||
|
|
|
||
|
|
Extend private krb5.conf with a realm definition that will allow MIT
|
||
|
|
Kerberos to look up KDC over DNS.
|
||
|
|
|
||
|
|
Signed-off-by: Alexander Bokovoy <ab@samba.org>
|
||
|
|
Reviewed-by: Andreas Schneider <asn@samba.org>
|
||
|
|
---
|
||
|
|
source4/setup/krb5.conf | 8 ++++++++
|
||
|
|
1 file changed, 8 insertions(+)
|
||
|
|
|
||
|
|
diff --git a/source4/setup/krb5.conf b/source4/setup/krb5.conf
|
||
|
|
index b1bf6cf907d..ad6f2818fb5 100644
|
||
|
|
--- a/source4/setup/krb5.conf
|
||
|
|
+++ b/source4/setup/krb5.conf
|
||
|
|
@@ -2,3 +2,11 @@
|
||
|
|
default_realm = ${REALM}
|
||
|
|
dns_lookup_realm = false
|
||
|
|
dns_lookup_kdc = true
|
||
|
|
+
|
||
|
|
+[realms]
|
||
|
|
+${REALM} = {
|
||
|
|
+ default_domain = ${DNSDOMAIN}
|
||
|
|
+}
|
||
|
|
+
|
||
|
|
+[domain_realm]
|
||
|
|
+ ${HOSTNAME} = ${REALM}
|
||
|
|
--
|
||
|
|
2.21.0
|
||
|
|
|