[PATCH] Save some DNS and NBT name queries while joining a domain

Stefan (metze) Metzmacher metze at samba.org
Wed Jul 8 22:11:23 UTC 2015


Am 08.07.2015 um 21:25 schrieb Uri Simchoni:
> On Wed, Jul 8, 2015 at 11:02 AM, Stefan (metze) Metzmacher
> <metze at samba.org> wrote:
>> Am 08.07.2015 um 09:56 schrieb Andrew Bartlett:
> <snip>
>>> Adding dns_lookup_realm=false to a generated config is fine.  The
>>> required TXT record isn't present in AD domains (I think I put it in
>>> Samba4 at one point, but I'm not sure it is still there).
>>
>> Now, that we have support for domain trusts in our KDC,
>> clients should be routed to the correct realm based on a hostname.
>> Clients should always ask the KDC belonging to the users realm.
>>
>> metze
>>
> This patch [2/2] is indeed about canceling the TXT DNS lookup. I
> believe what you are trying to say is that a client that behaves
> correctly should not be asking about the realm of a server it is
> trying to contact, so a client that behaves correctly does not care
> about dns_lookup_realm.

Yes, and adding an explicit dns_lookup_realm=false, is the correct thing
to do.

> AFAICT, the correct client behavior in AD environment, when looking
> for a service ticket for a host, and knowing just the DNS name of the
> host, is not to guess the realm, but instead to start with the known
> realm of the user asking for the ticket, raise the "canonicalize"
> flag, and get referred (via a returning TGT instead of the ticked
> we've asked for) to the "next" KDC, until some KDC gives us the ticket
> we've requested.

Yes.

> Continuing this line of thought - it means that
> kerberos_get_principal_from_service_hostname() (which is the function
> that causes the TXT queries to be generated) should not exist at all -
> either you know the realm (winbindd is an example - it got it from the
> trust enumeration process), or you should have AD find it for you
> (based on the TGT you have which encapsulates the user's realm). All I
> can say is that the patch to get rid of the TXT queries is small and
> simple and it does have value until client behavior is changed into
> the correct behavior.
> 
> The TXT queries can be a pain because:
> - Nobody talks of them, so if one sees them in a packet capture it may
> send him barking at the wrong tree
> - In misconfigured DNS, instead of quickly returning a negative answer
> the request may time out, causing the join process to take a
> considerable amount of time.

I just agree with you that avoiding the TXT queries is the correct thing
to do
for samba in all cases.

metze

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20150709/f264fecd/signature.sig>


More information about the samba-technical mailing list