Project

General

Profile

Bug #6978

smbadm join overwrites /etc/krb5/krb5.keytab

Added by Paul Henson over 4 years ago. Updated over 4 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
-
Start date:
2016-05-17
Due date:
% Done:

0%

Estimated time:
Difficulty:
Bite-size
Tags:
needs-triage
Gerrit CR:

Description

When joining an Active Directory domain, the illumos smb server rather rudely overwrites an existing system keytab, destroying any existing entries. While one option might be to try and share the keytab, it seems cleaner for the smb server to store its domain keytab entries someplace else. This will be trivial to do, as the location of the smb server keytab is a simple define located in lib/smbsrv/libsmbns/common/smbns_krb.h

There are really only two questions, one generic to illumos and one distribution specific:

1. Where should the smb server specific keytab be located?

2. How should a distribution handle moving any existing keys when this update is applied to a running system?

#1

Updated by Paul Henson over 4 years ago

Hmm, well, not as easy as initially thought; idmapd uses ldap via gssapi and accesses the default system keytab. There's no parameter or configuration mechanism to select a different keytab, although it looks like you might be able to set the global environment variable KRB5_KTNAME to make it use an alternate one. There might be other pieces hiding out that don't directly reference /etc/krb5/krb5.keytab but still use it, need to hunt some more.

Also available in: Atom PDF