From ad689bcda632bbfd90058c32973b3498cac76e0e Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 23 Nov 2016 14:39:47 +0100
Subject: [PATCH 1/3] s3:param: Add an 'include system krb5 conf' option

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12441

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
(cherry picked from commit f464f69b33b40c81d6ee57bebf9d59837431739b)
---
 docs-xml/smbdotconf/winbind/includesystemkrb5conf.xml | 15 +++++++++++++++
 source3/param/loadparm.c                              |  1 +
 2 files changed, 16 insertions(+)
 create mode 100644 docs-xml/smbdotconf/winbind/includesystemkrb5conf.xml

diff --git a/docs-xml/smbdotconf/winbind/includesystemkrb5conf.xml b/docs-xml/smbdotconf/winbind/includesystemkrb5conf.xml
new file mode 100644
index 00000000000..3e5329253b0
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/includesystemkrb5conf.xml
@@ -0,0 +1,15 @@
+<samba:parameter name="include system krb5 conf"
+                 context="G"
+                 type="boolean"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+	<para>
+		Setting this parameter to <value type="example">no</value> will prevent
+		winbind to include the system /etc/krb5.conf file into the krb5.conf file
+		it creates. See also <smbconfoption name="create krb5 conf"/>. This option
+		only applies to Samba built with MIT Kerberos.
+	</para>
+
+</description>
+<value type="default">yes</value>
+</samba:parameter>
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 32acd033b9b..f7cf70b53d8 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -713,6 +713,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
 	Globals.reset_on_zero_vc = false;
 	Globals.log_writeable_files_on_exit = false;
 	Globals.create_krb5_conf = true;
+	Globals.include_system_krb5_conf = true;
 	Globals._winbind_max_domain_connections = 1;
 
 	/* hostname lookups can be very expensive and are broken on
-- 
2.11.0


From 9d13d242dfe0f84ca03024b2c90a5f6817896f27 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Wed, 23 Nov 2016 14:40:42 +0100
Subject: [PATCH 2/3] s3:libads: Include system /etc/krb5.conf if we use MIT
 Kerberos

The system /etc/krb5.conf defines some defaults like:

    default_ccache_name = KEYRING:persistent:%{uid}

We need to respect that so should include it in our own created
krb5.conf file.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12441

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
(cherry picked from commit 4ef772be3a7259b48253643392574fab28c37916)
---
 source3/libads/kerberos.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
index 4774a9fc726..319e56f265b 100644
--- a/source3/libads/kerberos.c
+++ b/source3/libads/kerberos.c
@@ -844,6 +844,7 @@ bool create_local_private_krb5_conf_for_domain(const char *realm,
 	char *realm_upper = NULL;
 	bool result = false;
 	char *aes_enctypes = NULL;
+	const char *include_system_krb5 = "";
 	mode_t mask;
 
 	if (!lp_create_krb5_conf()) {
@@ -912,6 +913,12 @@ bool create_local_private_krb5_conf_for_domain(const char *realm,
 	}
 #endif
 
+#if !defined(SAMBA4_USES_HEIMDAL)
+	if (lp_include_system_krb5_conf()) {
+		include_system_krb5 = "include /etc/krb5.conf";
+	}
+#endif
+
 	file_contents = talloc_asprintf(fname,
 					"[libdefaults]\n\tdefault_realm = %s\n"
 					"\tdefault_tgs_enctypes = %s RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n"
@@ -920,8 +927,10 @@ bool create_local_private_krb5_conf_for_domain(const char *realm,
 					"\tdns_lookup_realm = false\n\n"
 					"[realms]\n\t%s = {\n"
 					"%s\t}\n",
+					"%s\n",
 					realm_upper, aes_enctypes, aes_enctypes, aes_enctypes,
-					realm_upper, kdc_ip_string);
+					realm_upper, kdc_ip_string,
+					include_system_krb5);
 
 	if (!file_contents) {
 		goto done;
-- 
2.11.0


From 7b541dc6ad19e9dc04775a5dfe9ec19b06085886 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Thu, 1 Dec 2016 08:18:58 +0100
Subject: [PATCH 3/3] selftest: Do not include system krb5.conf in selftest

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12441

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
---
 python/samba/tests/docs.py | 3 ++-
 selftest/selftest.pl       | 1 +
 selftest/target/Samba3.pm  | 1 +
 3 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/python/samba/tests/docs.py b/python/samba/tests/docs.py
index e7123b6d9ad..405b84469e2 100644
--- a/python/samba/tests/docs.py
+++ b/python/samba/tests/docs.py
@@ -165,7 +165,8 @@ class SmbDotConfTests(TestCase):
                          'queuepause command','lpresume command', 'lppause command',
                          'lprm command', 'lpq command', 'print command', 'template homedir',
                          'spoolss: os_major', 'spoolss: os_minor', 'spoolss: os_build',
-                         'max open files', 'fss: prune stale', 'fss: sequence timeout'])
+                         'max open files', 'fss: prune stale', 'fss: sequence timeout',
+                         'include system krb5 conf'])
 
     def setUp(self):
         super(SmbDotConfTests, self).setUp()
diff --git a/selftest/selftest.pl b/selftest/selftest.pl
index ff5f27d0855..d743136f0f3 100755
--- a/selftest/selftest.pl
+++ b/selftest/selftest.pl
@@ -595,6 +595,7 @@ sub write_clientconf($$$)
 	tls cafile = ${cacert}
 	tls crlfile = ${cacrl_pem}
 	tls verify peer = no_check
+	include system krb5 conf = no
 ";
 	close(CF);
 }
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index aef3fd7c580..5e62cf12fd6 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -1414,6 +1414,7 @@ sub provision($$$$$$$$)
 	winbind enum users = yes
 	winbind enum groups = yes
 	winbind separator = /
+	include system krb5 conf = no
 
 #	min receivefile size = 4000
 
-- 
2.11.0