Bug 6252 - create_local_private_krb5_conf_for_domain can fail if not root
Summary: create_local_private_krb5_conf_for_domain can fail if not root
Status: RESOLVED WONTFIX
Alias: None
Product: Samba 3.3
Classification: Unclassified
Component: Client tools (show other bugs)
Version: 3.3.2
Hardware: x86 Linux
: P3 minor
Target Milestone: ---
Assignee: Guenther Deschner
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2009-04-08 05:05 UTC by Blindauer Emmanuel (dead mail address)
Modified: 2020-12-22 00:17 UTC (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Blindauer Emmanuel (dead mail address) 2009-04-08 05:05:38 UTC
I use "net ads" often to get some informations against a 2003 AD. I use Kerberos mainly for such operations.
With 3.3 release, there are some warnings which come up, because the code think it is running as root, but in some situations, for example as user with admin ticket, or when no tickets are present, this isn't the case


$ LC_ALL=C net ads info
[2009/04/08 12:02:06,  0] libads/kerberos.c:create_local_private_krb5_conf_for_domain(914)
  create_local_private_krb5_conf_for_domain: smb_mkstemp failed, for file /var/cache/samba/smb_tmp_krb5.FBpr5C. Errno Permission denied
[2009/04/08 12:02:06,  0] libads/kerberos.c:create_local_private_krb5_conf_for_domain(914)
  create_local_private_krb5_conf_for_domain: smb_mkstemp failed, for file /var/cache/samba/smb_tmp_krb5.mWR6b1. Errno Permission denied
LDAP server: 130.......

If I add a stickybit on /var/cache/samba to allow the creation of the temporary file:

$ LC_ALL=C net ads info
[2009/04/08 12:03:15,  0] libads/kerberos.c:create_local_private_krb5_conf_for_domain(950)
  create_local_private_krb5_conf_for_domain: rename of /var/cache/samba/smb_tmp_krb5.5TA6ut to /var/cache/samba/smb_krb5/krb5.conf.DPTINFO failed. Errno Operation not permitted
[2009/04/08 12:03:15,  0] libads/kerberos.c:create_local_private_krb5_conf_for_domain(950)
  create_local_private_krb5_conf_for_domain: rename of /var/cache/samba/smb_tmp_krb5.NN4Peh to /var/cache/samba/smb_krb5/krb5.conf.DPTINFO failed. Errno Operation not permitted
LDAP server: 130....

 /var/cache/samba/smb_krb5/krb5.conf.DPTINFO belongs to root (and the content is up to date)
Comment 1 devurandom 2015-03-26 14:00:59 UTC
Same issue here. Is a workaround or fix for this known?

$ net user add test
create_local_private_krb5_conf_for_domain: smb_mkstemp failed, for file /var/run/samba/smb_tmp_krb5.pTujCV. Errno Permission denied
create_local_private_krb5_conf_for_domain: smb_mkstemp failed, for file /var/run/samba/smb_tmp_krb5.Csqnrk. Errno Permission denied
Could not add user test: No such object
Comment 2 devurandom 2015-03-26 14:02:48 UTC
(In reply to devurandom from comment #1)
> Could not add user test: No such object

This line was a mistake of mine. The rest is still valid.
Comment 3 Björn Jacke 2020-12-22 00:17:41 UTC
I think users without permission to write to the krb5.conf directory should really just not run net ads commands that generate krb5.conf files.