[PATCH] Save some DNS and NBT name queries while joining a domain

Uri Simchoni urisimchoni at gmail.com
Wed Jul 8 19:25:58 UTC 2015 

On Wed, Jul 8, 2015 at 11:02 AM, Stefan (metze) Metzmacher
<metze at samba.org> wrote:
> Am 08.07.2015 um 09:56 schrieb Andrew Bartlett:
<snip>
>> Adding dns_lookup_realm=false to a generated config is fine.  The
>> required TXT record isn't present in AD domains (I think I put it in
>> Samba4 at one point, but I'm not sure it is still there).
>
> Now, that we have support for domain trusts in our KDC,
> clients should be routed to the correct realm based on a hostname.
> Clients should always ask the KDC belonging to the users realm.
>
> metze
>
This patch [2/2] is indeed about canceling the TXT DNS lookup. I
believe what you are trying to say is that a client that behaves
correctly should not be asking about the realm of a server it is
trying to contact, so a client that behaves correctly does not care
about dns_lookup_realm.

AFAICT, the correct client behavior in AD environment, when looking
for a service ticket for a host, and knowing just the DNS name of the
host, is not to guess the realm, but instead to start with the known
realm of the user asking for the ticket, raise the "canonicalize"
flag, and get referred (via a returning TGT instead of the ticked
we've asked for) to the "next" KDC, until some KDC gives us the ticket
we've requested.

Continuing this line of thought - it means that
kerberos_get_principal_from_service_hostname() (which is the function
that causes the TXT queries to be generated) should not exist at all -
either you know the realm (winbindd is an example - it got it from the
trust enumeration process), or you should have AD find it for you
(based on the TGT you have which encapsulates the user's realm). All I
can say is that the patch to get rid of the TXT queries is small and
simple and it does have value until client behavior is changed into
the correct behavior.

The TXT queries can be a pain because:
- Nobody talks of them, so if one sees them in a packet capture it may
send him barking at the wrong tree
- In misconfigured DNS, instead of quickly returning a negative answer
the request may time out, causing the join process to take a
considerable amount of time.

Thanks,
Uri

More information about the samba-technical mailing list