6252 – create_local_private_krb5_conf_for_domain can fail if not root

Bug 6252 - create_local_private_krb5_conf_for_domain can fail if not root

Summary: create_local_private_krb5_conf_for_domain can fail if not root

Status:	RESOLVED WONTFIX

Alias:	None

Product:	Samba 3.3
Classification:	Unclassified
Component:	Client tools (show other bugs)
Version:	3.3.2
Hardware:	x86 Linux

Importance:	P3 minor
Target Milestone:	---
Assignee:	Guenther Deschner
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2009-04-08 05:05 UTC by Blindauer Emmanuel (dead mail address)
Modified:	2020-12-22 00:17 UTC (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Blindauer Emmanuel (dead mail address) 2009-04-08 05:05:38 UTC

I use "net ads" often to get some informations against a 2003 AD. I use Kerberos mainly for such operations.
With 3.3 release, there are some warnings which come up, because the code think it is running as root, but in some situations, for example as user with admin ticket, or when no tickets are present, this isn't the case


$ LC_ALL=C net ads info
[2009/04/08 12:02:06,  0] libads/kerberos.c:create_local_private_krb5_conf_for_domain(914)
  create_local_private_krb5_conf_for_domain: smb_mkstemp failed, for file /var/cache/samba/smb_tmp_krb5.FBpr5C. Errno Permission denied
[2009/04/08 12:02:06,  0] libads/kerberos.c:create_local_private_krb5_conf_for_domain(914)
  create_local_private_krb5_conf_for_domain: smb_mkstemp failed, for file /var/cache/samba/smb_tmp_krb5.mWR6b1. Errno Permission denied
LDAP server: 130.......

If I add a stickybit on /var/cache/samba to allow the creation of the temporary file:

$ LC_ALL=C net ads info
[2009/04/08 12:03:15,  0] libads/kerberos.c:create_local_private_krb5_conf_for_domain(950)
  create_local_private_krb5_conf_for_domain: rename of /var/cache/samba/smb_tmp_krb5.5TA6ut to /var/cache/samba/smb_krb5/krb5.conf.DPTINFO failed. Errno Operation not permitted
[2009/04/08 12:03:15,  0] libads/kerberos.c:create_local_private_krb5_conf_for_domain(950)
  create_local_private_krb5_conf_for_domain: rename of /var/cache/samba/smb_tmp_krb5.NN4Peh to /var/cache/samba/smb_krb5/krb5.conf.DPTINFO failed. Errno Operation not permitted
LDAP server: 130....

 /var/cache/samba/smb_krb5/krb5.conf.DPTINFO belongs to root (and the content is up to date)

Comment 1 devurandom 2015-03-26 14:00:59 UTC

Same issue here. Is a workaround or fix for this known?

$ net user add test
create_local_private_krb5_conf_for_domain: smb_mkstemp failed, for file /var/run/samba/smb_tmp_krb5.pTujCV. Errno Permission denied
create_local_private_krb5_conf_for_domain: smb_mkstemp failed, for file /var/run/samba/smb_tmp_krb5.Csqnrk. Errno Permission denied
Could not add user test: No such object

Comment 2 devurandom 2015-03-26 14:02:48 UTC

(In reply to devurandom from comment #1)
> Could not add user test: No such object

This line was a mistake of mine. The rest is still valid.

Comment 3 Björn Jacke 2020-12-22 00:17:41 UTC

I think users without permission to write to the krb5.conf directory should really just not run net ads commands that generate krb5.conf files.