Quantcast

[PATCH] samba-tool domain provision with MIT KDC

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[PATCH] samba-tool domain provision with MIT KDC

Samba - samba-technical mailing list
Hi Andrew,

here are the patches implementing the provisioning in a cleaner way. It works
on openSUSE, Fedora and Debian.


Please review and push if OK :-)


Thanks,



        Andreas

--
Andreas Schneider                   GPG-ID: CC014E3D
Samba Team                             [hidden email]
www.samba.org

mit_kdc_provision.patch.txt (11K) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [PATCH] samba-tool domain provision with MIT KDC

Samba - samba-technical mailing list
On Mon, 2017-05-15 at 11:19 +0200, Andreas Schneider wrote:
> Hi Andrew,
>
> here are the patches implementing the provisioning in a cleaner way. It works
> on openSUSE, Fedora and Debian.
>
>
> Please review and push if OK :-)
>

Thanks!

This is much better than the previous approach.  However, I'm a bit
worried about one thing, that is what should we do if we have to change
it?

This comes from the experience with provision-generated config files so
far.  For example, we have a bug in our provision script where it
writes in the full list of services if you use DLZ_BIND9, rather than
just '-dns'.

We should fix that, naturally, but what should we do with all the old
configuration files (particularly when we add a service)?

If we write it out to private/ once, we have to live with exactly that
file forever, as we can't (trivially) know if the administrator
intended to change it, or it was an old config file before our required
settings changed.

This is still an important step forward, but I wanted to put it in
writing why I favour a tmp file generated just before the fork()/exec()
of the KDC.

Thanks!

Andrew Bartlett
--
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [PATCH] samba-tool domain provision with MIT KDC

Samba - samba-technical mailing list
On Monday, 15 May 2017 20:24:49 CEST Andrew Bartlett wrote:

> On Mon, 2017-05-15 at 11:19 +0200, Andreas Schneider wrote:
> > Hi Andrew,
> >
> > here are the patches implementing the provisioning in a cleaner way. It
> > works on openSUSE, Fedora and Debian.
> >
> >
> > Please review and push if OK :-)
>
> Thanks!
>
> This is much better than the previous approach.  However, I'm a bit
> worried about one thing, that is what should we do if we have to change
> it?
>
> This comes from the experience with provision-generated config files so
> far.  For example, we have a bug in our provision script where it
> writes in the full list of services if you use DLZ_BIND9, rather than
> just '-dns'.
>
> We should fix that, naturally, but what should we do with all the old
> configuration files (particularly when we add a service)?
>
> If we write it out to private/ once, we have to live with exactly that
> file forever, as we can't (trivially) know if the administrator
> intended to change it, or it was an old config file before our required
> settings changed.
>
> This is still an important step forward, but I wanted to put it in
> writing why I favour a tmp file generated just before the fork()/exec()
> of the KDC.

Well, how do you configure PKINIT or Smartcard support then?


With Heimdal you have to copy the krb5.conf file generated in the private dir.
This file is also used by the Heimdal KDC, it doesn't have an extra
configuration file.


For MIT Kerberos you have to do that for the KDC in the kdc.conf file. So for
PKINIT and Smartcards you need to be able to modify the file ...



        Andreas


--
Andreas Schneider                   GPG-ID: CC014E3D
Samba Team                             [hidden email]
www.samba.org

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [PATCH] samba-tool domain provision with MIT KDC

Samba - samba-technical mailing list
On Tuesday, 16 May 2017 09:59:48 CEST Andreas Schneider via samba-technical
wrote:

> On Monday, 15 May 2017 20:24:49 CEST Andrew Bartlett wrote:
> > On Mon, 2017-05-15 at 11:19 +0200, Andreas Schneider wrote:
> > > Hi Andrew,
> > >
> > > here are the patches implementing the provisioning in a cleaner way. It
> > > works on openSUSE, Fedora and Debian.
> > >
> > >
> > > Please review and push if OK :-)
> >
> > Thanks!
> >
> > This is much better than the previous approach.  However, I'm a bit
> > worried about one thing, that is what should we do if we have to change
> > it?
> >
> > This comes from the experience with provision-generated config files so
> > far.  For example, we have a bug in our provision script where it
> > writes in the full list of services if you use DLZ_BIND9, rather than
> > just '-dns'.
> >
> > We should fix that, naturally, but what should we do with all the old
> > configuration files (particularly when we add a service)?
> >
> > If we write it out to private/ once, we have to live with exactly that
> > file forever, as we can't (trivially) know if the administrator
> > intended to change it, or it was an old config file before our required
> > settings changed.
> >
> > This is still an important step forward, but I wanted to put it in
> > writing why I favour a tmp file generated just before the fork()/exec()
> > of the KDC.
>
> Well, how do you configure PKINIT or Smartcard support then?
>
>
> With Heimdal you have to copy the krb5.conf file generated in the private
> dir. This file is also used by the Heimdal KDC, it doesn't have an extra
> configuration file.
>
>
> For MIT Kerberos you have to do that for the KDC in the kdc.conf file. So
> for PKINIT and Smartcards you need to be able to modify the file ...

Friendly ping :-)

--
Andreas Schneider                   GPG-ID: CC014E3D
Samba Team                             [hidden email]
www.samba.org

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [PATCH] samba-tool domain provision with MIT KDC

Samba - samba-technical mailing list
On Tue, 2017-05-23 at 09:06 +0200, Andreas Schneider wrote:

> On Tuesday, 16 May 2017 09:59:48 CEST Andreas Schneider via samba-
> technical 
> wrote:
> > On Monday, 15 May 2017 20:24:49 CEST Andrew Bartlett wrote:
> > > On Mon, 2017-05-15 at 11:19 +0200, Andreas Schneider wrote:
> > > > Hi Andrew,
> > > >
> > > > here are the patches implementing the provisioning in a cleaner
> > > > way. It
> > > > works on openSUSE, Fedora and Debian.
> > > >
> > > >
> > > > Please review and push if OK :-)
> > >
> > > Thanks!
> > >
> > > This is much better than the previous approach.  However, I'm a
> > > bit
> > > worried about one thing, that is what should we do if we have to
> > > change
> > > it?
> > >
> > > This comes from the experience with provision-generated config
> > > files so
> > > far.  For example, we have a bug in our provision script where it
> > > writes in the full list of services if you use DLZ_BIND9, rather
> > > than
> > > just '-dns'.
> > >
> > > We should fix that, naturally, but what should we do with all the
> > > old
> > > configuration files (particularly when we add a service)?
> > >
> > > If we write it out to private/ once, we have to live with exactly
> > > that
> > > file forever, as we can't (trivially) know if the administrator
> > > intended to change it, or it was an old config file before our
> > > required
> > > settings changed.
> > >
> > > This is still an important step forward, but I wanted to put it
> > > in
> > > writing why I favour a tmp file generated just before the
> > > fork()/exec()
> > > of the KDC.
> >
> > Well, how do you configure PKINIT or Smartcard support then?
> >
> >
> > With Heimdal you have to copy the krb5.conf file generated in the
> > private
> > dir. This file is also used by the Heimdal KDC, it doesn't have an
> > extra
> > configuration file.
> >
> >
> > For MIT Kerberos you have to do that for the KDC in the kdc.conf
> > file. So
> > for PKINIT and Smartcards you need to be able to modify the file
> > ...
>
> Friendly ping :-)

I'm not violently opposed, just not a big fan either.  I just fear we
will get into a pickle.

I'll read it over again and likely push it, as it is an improvement,
but I do hope we can do one step better.

Thanks,

Andrew Bartlett

--
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT  
https://catalyst.net.nz/services/samba





Loading...