[PATCH] Save some DNS and NBT name queries while joining a domain
Stefan (metze) Metzmacher
metze at samba.org
Wed Jul 8 08:02:49 UTC 2015
Am 08.07.2015 um 09:56 schrieb Andrew Bartlett:
> On Wed, 2015-07-08 at 09:15 +0200, Andreas Schneider wrote:
>> On Tuesday 07 July 2015 13:50:54 Volker Lendecke wrote:
>>> On Sun, Jul 05, 2015 at 12:24:14PM +0300, Uri Simchoni wrote:
>>>> Hi,
>>>> The attached patch set removes some name resolving queries while
>>>> running "net ads join". Those queries may lead to prolonged execution
>>>> of "net ads join" beyond what's necessary, or even to failure to join
>>>> in some cases.
>>>>
>>>> [1/2] is a re-submission of something I sent about a week ago -
>>>> letting dsgetdcname() know whether the given domain name is the FQDN
>>>> or the flat name. This saves rather pointless queries (use NBT to
>>>> lookup FQDN, use DNS to look for flat names), and also fixes one case
>>>> in which the on-site DC is an RODC and netbios is disabled.
>>>
>>> This looks good to me.
>>>
>>> One question: Why do you only apply it for an explicitly
>>> given domain name? Doesn't the same also apply to the
>>> default value of "domain", which is lp_realm()?
>>>
>>>> [2/2] adds "dns_lookup_realm=false" to samba-generated krb5.conf. This
>>>> saves on some TXT queries that are done by kerberos libs while
>>>> verifying the join. An alternative to this would be to let
>>>> cli_full_connection() know the FQDN of the domain, not just the server
>>>> it's connecting to.
>>>
>>> Here others with more Kerberos config knowledge must reply,
>>> sorry.
>>
>> Günther, this is your playground :) It looks fine for me ...
>
> Adding dns_lookup_realm=false to a generated config is fine. The
> required TXT record isn't present in AD domains (I think I put it in
> Samba4 at one point, but I'm not sure it is still there).
Now, that we have support for domain trusts in our KDC,
clients should be routed to the correct realm based on a hostname.
Clients should always ask the KDC belonging to the users realm.
metze
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20150708/175668e7/signature.pgp>
More information about the samba-technical
mailing list