[Samba] krb5.conf & kdc=, explicit vs automatic
Michael Tokarev
mjt at tls.msk.ru
Wed Feb 14 07:22:27 UTC 2024
04.12.2023 14:21, Michael Tokarev via samba:
> While playing with large number of DCs in a domain, which does not fit
> in UDP DNS packet, I found another interesting issue.
>
> winbindd generates a temporary krb5.conf for each realm it uses, and
> stores it in /run/samba/smb_krb5/krb5.conf.$REALM. Here's a typical
> such config in fully-automatic mode:
>
> [libdefaults]
> default_realm = FOO.BAR
> default_etypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 arcfour-hmac-md5
> dns_lookup_realm = false
> dns_lookup_kdc = true
>
> [realms]
> FOO.BAR = {
> kdc = 10.221.1.98
> kdc = 10.53.1.100
> kdc = 10.45.1.100
> kdc = 10.59.1.100
> }
>
> These are addresses of 4 DCs winbindd found in _ldap._tcp.dc._msdcs.FOO.BAR
> SRV records.
>
> However, if I specify custom /etc/samba/krb5.conf (why it does not
> use /etc/krb5.conf, btw?), the [realms] section of still-generated
> temporary krb5.conf will have just *one* kdc entry. Custom krb5.conf:
>
> [realms]
> FOO.BAR = {
> kdc = dc-0.foo.bar
> kdc = dc-1.foo.bar
> kdc = dc-2.foo.bar
> kdc = dc-3.foo.bar
> }
>
> and temporary winbind-generated /run/samba/smb_krb5/krb5.conf.FOO.BAR:
>
> [realms]
> FOO.BAR = {
> kdc = 10.45.1.100
> }
>
> There's just one kdc entry now instead of 4 entries specified in custom
> krb5.conf.
>
> Why? Isn't it much less reliable to have only one DC?
Okay, without any reply from the Samba community, I fixed this one by
creating a good krb5.conf file and stopping winbind from creating private
one, by setting `create krb5 conf' to false (this setting wasn't easy to find
for me, I had to look in sources to find it, despite it is being documented).
Thanks,
/mjt
More information about the samba
mailing list