[PATCH] Save some DNS and NBT name queries while joining a domain

Uri Simchoni urisimchoni at gmail.com
Wed Jul 15 17:20:58 UTC 2015 

Ping...
Of the two patches in the original patch set, the first got pushed and
the second - with dns_lookup_realm=false - didn't. In this thread
there seems to be a general consent that it's good.

Resubmitting just the dns_lookup_realm=false patch.
Thanks!
Uri


On Thu, Jul 9, 2015 at 1:11 AM, Stefan (metze) Metzmacher
<metze at samba.org> wrote:
> Am 08.07.2015 um 21:25 schrieb Uri Simchoni:
>> On Wed, Jul 8, 2015 at 11:02 AM, Stefan (metze) Metzmacher
>> <metze at samba.org> wrote:
>>> Am 08.07.2015 um 09:56 schrieb Andrew Bartlett:
>> <snip>
>>>> Adding dns_lookup_realm=false to a generated config is fine.  The
>>>> required TXT record isn't present in AD domains (I think I put it in
>>>> Samba4 at one point, but I'm not sure it is still there).
>>>
>>> Now, that we have support for domain trusts in our KDC,
>>> clients should be routed to the correct realm based on a hostname.
>>> Clients should always ask the KDC belonging to the users realm.
>>>
>>> metze
>>>
>> This patch [2/2] is indeed about canceling the TXT DNS lookup. I
>> believe what you are trying to say is that a client that behaves
>> correctly should not be asking about the realm of a server it is
>> trying to contact, so a client that behaves correctly does not care
>> about dns_lookup_realm.
>
> Yes, and adding an explicit dns_lookup_realm=false, is the correct thing
> to do.
>
>> AFAICT, the correct client behavior in AD environment, when looking
>> for a service ticket for a host, and knowing just the DNS name of the
>> host, is not to guess the realm, but instead to start with the known
>> realm of the user asking for the ticket, raise the "canonicalize"
>> flag, and get referred (via a returning TGT instead of the ticked
>> we've asked for) to the "next" KDC, until some KDC gives us the ticket
>> we've requested.
>
> Yes.
>
>> Continuing this line of thought - it means that
>> kerberos_get_principal_from_service_hostname() (which is the function
>> that causes the TXT queries to be generated) should not exist at all -
>> either you know the realm (winbindd is an example - it got it from the
>> trust enumeration process), or you should have AD find it for you
>> (based on the TGT you have which encapsulates the user's realm). All I
>> can say is that the patch to get rid of the TXT queries is small and
>> simple and it does have value until client behavior is changed into
>> the correct behavior.
>>
>> The TXT queries can be a pain because:
>> - Nobody talks of them, so if one sees them in a packet capture it may
>> send him barking at the wrong tree
>> - In misconfigured DNS, instead of quickly returning a negative answer
>> the request may time out, causing the join process to take a
>> considerable amount of time.
>
> I just agree with you that avoiding the TXT queries is the correct thing
> to do
> for samba in all cases.
>
> metze
>

More information about the samba-technical mailing list