[Samba] Re :Re: dns lookups for SRV kerberos
aplist at netcourrier.com
aplist at netcourrier.com
Tue Dec 22 09:55:21 MST 2009
>
>On Thu, Dec 10, 2009 at 9:21 AM, <aplist at netcourrier.com> wrote:
> > Hi,
> >
> >
> > I have raised this question on the kerberos mailing list, but have been
> told that Samba has it's own behavior regarding SRV lookups.
> >
> > My configuration uses the following :
> > dns_lookup_realm = false
> > dns_lookup_kdc = false
> >
> > [realms]
> > EXAMPLE.DOM = {
> > kdc = 10.0.0.1:88
> > kdc = 10.0.0.2:88
> > admin_server = 10.0.0.1:749
> > default_domain = example.dom
> > }
> >
> > but I still see the DNS lookups for SRV _kerberos-master_udp
> > ( same with kdc = adserver1.example.dom.:88 )
> >
> > To be precise, the following happens (We don't have these records in the
> DNS
> > system) :
> >
> > ASREQ ->
> > <- KRBERR PREAUTH
> > DNS SRV _kerberos-master ->
> > <- no such name
> > ASREQ ->
> > <- AS REP OK
> > DNS SRV _kerberos-master ->
> > <- no such name
> > TGSREQ ->
> > <- TGSREP
> > DNS SRV _kerberos-master ->
> > <- no such name
> >
> > that makes 3 DNS lookups per TGS.
> >
> > As I have excplicitly configured :
> > A) dns_lookups to false
> > B) numerical IP addresses for the KDC's
> > I would expect dns lookups to be completely *non-existant*.
> > Are my expectations correct, or is there something in the protocol that I
> missed
> > , that would need to enforce dns lookups even if configured not to ? Or
> maybe I
> > have misconfigured krb5.conf ? It seems that Samba would not look into
> this file.
> > Can it be configured elsewhere ?
> > Same behaviour with numerical ipp addresses for "password server"
> > Timeouts summing up, the result in a default RHEL5 configuration is to
> have
> > "wbinto -t" take 21 seconds to accomplish.
> > (3*5s DNS timeouts + 3*2s KDC timeouts)
> > For the moment, DNS Timeout can be lowered to 1s but not less.
> > using
> > krb5-libs-1.6.1-36.el5
> > samba-3.0.33-3.15.el5_4
> > on RHEL 5.4
> >
> >
> >
> > Regards,
> >
> > Andrew
> Interesting. Does the samba generated cached version of krb5.conf
> have dns records? This is an altogether different file than
> /etc/krb5.conf.
>
> On my CentOS 5.4 box, samba caches its krb5 config here:
> /var/cache/samba/smb_krb5/krb5.conf.NETBIOSDOMAINNAME
>
> In my experience, some of these samba generated cached entries can be
> altogether different than /etc/krb5.conf !
I didn't know about the cached version. here it is :
[libdefaults]
default_realm = EXAMPLE.DOM
default_tgs_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5
default_tkt_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5
preferred_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5
[realms]
EXAMPLE.DOM = {
kdc = 10.0.0.2
kdc = 10.0.0.1
kdc = 10.0.0.1
}
I couldn't understand the logic in it. So I played with krb5.conf and smb.conf a little.
It seems that this cached file, even when deleted, can be partly reconstructed from the /var/cache/samba/gencache.tdb file :
all references to 10.0.0.2 erased in all config files , this address was still coming up in krb5.conf.EXAMPLE
With gencache and krb5.conf.EXAMPLE deleted , it seems that samba doesn't care about the /et/krb5.conf file at all :
- kdc are taken from smb.conf only.
- dns_lookup options not taken into account.
Finally , with theis line in smb.conf
password server = 10.0.0.2
the cached file krb5.conf.EXAMPLE "realms" paragraph became :
...
[realms]
EXAMPLE.DOM = {
kdc = 10.0.0.2
}
But, puttting back the a short name dcserver1 ( which is 10.0.0.1 ) in smbconf, it then becomes :
[realms]
EXAMPLE.DOM = {
kdc = 10.0.0.2
kdc = 10.0.0.1
kdc = 10.0.0.1
}
Back to start !
SO it kept the 10.0.0.2 from the former smb.conf,
then added two entries for the DNS translation of dcserver1 (in smb.conf)
Does anyone know where to find precise information on :
- how the cached krb5.conf file is constructed ?
- how to prevent these SRV lookups ?
Andrew
More information about the samba
mailing list