[PATCH] Save some DNS and NBT name queries while joining a domain

Wed Jul 8 07:56:56 UTC 2015

On Wed, 2015-07-08 at 09:15 +0200, Andreas Schneider wrote:
> On Tuesday 07 July 2015 13:50:54 Volker Lendecke wrote:
> > On Sun, Jul 05, 2015 at 12:24:14PM +0300, Uri Simchoni wrote:
> > > Hi,
> > > The attached patch set removes some name resolving queries while
> > > running "net ads join". Those queries may lead to prolonged execution
> > > of "net ads join" beyond what's necessary, or even to failure to join
> > > in some cases.
> > > 
> > > [1/2] is a re-submission of something I sent about a week ago -
> > > letting dsgetdcname() know whether the given domain name is the FQDN
> > > or the flat name. This saves rather pointless queries (use NBT to
> > > lookup FQDN, use DNS to look for flat names), and also fixes one case
> > > in which the on-site DC is an RODC and netbios is disabled.
> > 
> > This looks good to me.
> > 
> > One question: Why do you only apply it for an explicitly
> > given domain name? Doesn't the same also apply to the
> > default value of "domain", which is lp_realm()?
> > 
> > > [2/2] adds "dns_lookup_realm=false" to samba-generated krb5.conf. This
> > > saves on some TXT queries that are done by kerberos libs while
> > > verifying the join. An alternative to this would be to let
> > > cli_full_connection() know the FQDN of the domain, not just the server
> > > it's connecting to.
> > 
> > Here others with more Kerberos config knowledge must reply,
> > sorry.
> 
> Günther, this is your playground :) It looks fine for me ...

Adding dns_lookup_realm=false to a generated config is fine.  The
required TXT record isn't present in AD domains (I think I put it in
Samba4 at one point, but I'm not sure it is still there). 

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba