[Samba] krb5.conf & kdc=, explicit vs automatic

Kees van Vloten keesvanvloten at gmail.com
Wed Feb 14 09:12:33 UTC 2024 

Op 14-02-2024 om 08:22 schreef Michael Tokarev via samba:
> 04.12.2023 14:21, Michael Tokarev via samba:
>> While playing with large number of DCs in a domain, which does not fit
>> in UDP DNS packet, I found another interesting issue.
>>
>> winbindd generates a temporary krb5.conf for each realm it uses, and
>> stores it in /run/samba/smb_krb5/krb5.conf.$REALM.  Here's a typical
>> such config in fully-automatic mode:
>>
>> [libdefaults]
>>      default_realm = FOO.BAR
>>      default_etypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 
>> arcfour-hmac-md5
>>      dns_lookup_realm = false
>>      dns_lookup_kdc = true
>>
>> [realms]
>>      FOO.BAR = {
>>          kdc = 10.221.1.98
>>          kdc = 10.53.1.100
>>          kdc = 10.45.1.100
>>          kdc = 10.59.1.100
>>      }
>>
>> These are addresses of 4 DCs winbindd found in 
>> _ldap._tcp.dc._msdcs.FOO.BAR
>> SRV records.
>>
>> However, if I specify custom /etc/samba/krb5.conf (why it does not
>> use /etc/krb5.conf, btw?), the [realms] section of still-generated
>> temporary krb5.conf will have just *one* kdc entry.  Custom krb5.conf:
>>
>> [realms]
>>      FOO.BAR = {
>>          kdc = dc-0.foo.bar
>>          kdc = dc-1.foo.bar
>>          kdc = dc-2.foo.bar
>>          kdc = dc-3.foo.bar
>>      }
>>
>> and temporary winbind-generated /run/samba/smb_krb5/krb5.conf.FOO.BAR:
>>
>> [realms]
>>      FOO.BAR = {
>>          kdc = 10.45.1.100
>>      }
>>
>> There's just one kdc entry now instead of 4 entries specified in custom
>> krb5.conf.
>>
>> Why?  Isn't it much less reliable to have only one DC?
>
> Okay, without any reply from the Samba community, I fixed this one by
> creating a good krb5.conf file and stopping winbind from creating private
> one, by setting `create krb5 conf' to false (this setting  wasn't easy 
> to find
> for me, I had to look in sources to find it, despite it is being 
> documented).
>
> Thanks,
>
> /mjt
>
Perhaps you can workaround the issue by adding entries to /etc/hosts and 
hence override the dns-lookup with the desired values?

If you add _ldap._tcp.dc._msdcs.FOO.BAR to /etc/hosts, you can set the 
return.

Just an idea, don't know if it does the trick :-)

- Kees.

More information about the samba mailing list