What was the resolution about why we are talking to DCs when a client authenticates with Kerberos

[Richard Sharpe]

On Wed, Aug 5, 2015 at 4:30 AM, Simo <simo at samba.org> wrote:
> On Tue, 2015-08-04 at 15:58 -0700, Richard Sharpe wrote:
>> Hi folks,
>>
>> I recall some discussion that we were contacting DCs even when a
>> client authenticates with Kerberos 5.
>>
>> There was a suggestion that we should not be doing that.
>>
>> Was the investigation of why we are doing it completed? What was the
>> resolution?
>
> Define: contacting the DC.
> For what operations ?

During authentication, when using the client uses Kerberos auth, Samba
contacts the DCs.

First, it looks up shit-loads of DNS entries, both the IP addresses of
the DCs and SRV records. This was causing me problems, see below.

Secondly, it uses RPCs for some ops and does LDAP requests. I can be
more precise later today when I have access to my captures.

The DNS bit was causing problems because the DNS config (internal to
the company and not at a customer site, but customers might experience
this as well.) was not correct. By mistake we were not using the DNS
servers on that subnet and the link between the Colo and the location
of the DNS servers was overloaded. This was causing multiple DNS
lookup timeouts (3-4 by 5 seconds) and adding 20 seconds to
authentication.

Since we do not care one whit about SID to UID/GID translation (we use
acl_xattr and we do not store those worthless POSIX ACLs) and this is
the third gig where we have done that I would much rather that we did
not do SID to UID/GID translation.

Quick question. How many customers care about SID to UID/GID
translation? In my experience, about 1 in a million!

-- 
Regards,
Richard Sharpe
(何以解憂？唯有杜康。--曹操)