[PATCH] Save some DNS and NBT name queries while joining a domain

Uri Simchoni urisimchoni at gmail.com
Wed Jul 15 17:23:37 UTC 2015 

Oops...
Now with the patch.


On Wed, Jul 15, 2015 at 8:20 PM, Uri Simchoni <urisimchoni at gmail.com> wrote:
> Ping...
> Of the two patches in the original patch set, the first got pushed and
> the second - with dns_lookup_realm=false - didn't. In this thread
> there seems to be a general consent that it's good.
>
> Resubmitting just the dns_lookup_realm=false patch.
> Thanks!
> Uri
>
>
> On Thu, Jul 9, 2015 at 1:11 AM, Stefan (metze) Metzmacher
> <metze at samba.org> wrote:
>> Am 08.07.2015 um 21:25 schrieb Uri Simchoni:
>>> On Wed, Jul 8, 2015 at 11:02 AM, Stefan (metze) Metzmacher
>>> <metze at samba.org> wrote:
>>>> Am 08.07.2015 um 09:56 schrieb Andrew Bartlett:
>>> <snip>
>>>>> Adding dns_lookup_realm=false to a generated config is fine.  The
>>>>> required TXT record isn't present in AD domains (I think I put it in
>>>>> Samba4 at one point, but I'm not sure it is still there).
>>>>
>>>> Now, that we have support for domain trusts in our KDC,
>>>> clients should be routed to the correct realm based on a hostname.
>>>> Clients should always ask the KDC belonging to the users realm.
>>>>
>>>> metze
>>>>
>>> This patch [2/2] is indeed about canceling the TXT DNS lookup. I
>>> believe what you are trying to say is that a client that behaves
>>> correctly should not be asking about the realm of a server it is
>>> trying to contact, so a client that behaves correctly does not care
>>> about dns_lookup_realm.
>>
>> Yes, and adding an explicit dns_lookup_realm=false, is the correct thing
>> to do.
>>
>>> AFAICT, the correct client behavior in AD environment, when looking
>>> for a service ticket for a host, and knowing just the DNS name of the
>>> host, is not to guess the realm, but instead to start with the known
>>> realm of the user asking for the ticket, raise the "canonicalize"
>>> flag, and get referred (via a returning TGT instead of the ticked
>>> we've asked for) to the "next" KDC, until some KDC gives us the ticket
>>> we've requested.
>>
>> Yes.
>>
>>> Continuing this line of thought - it means that
>>> kerberos_get_principal_from_service_hostname() (which is the function
>>> that causes the TXT queries to be generated) should not exist at all -
>>> either you know the realm (winbindd is an example - it got it from the
>>> trust enumeration process), or you should have AD find it for you
>>> (based on the TGT you have which encapsulates the user's realm). All I
>>> can say is that the patch to get rid of the TXT queries is small and
>>> simple and it does have value until client behavior is changed into
>>> the correct behavior.
>>>
>>> The TXT queries can be a pain because:
>>> - Nobody talks of them, so if one sees them in a packet capture it may
>>> send him barking at the wrong tree
>>> - In misconfigured DNS, instead of quickly returning a negative answer
>>> the request may time out, causing the join process to take a
>>> considerable amount of time.
>>
>> I just agree with you that avoiding the TXT queries is the correct thing
>> to do
>> for samba in all cases.
>>
>> metze
>>
-------------- next part --------------
From 7ea0683be472b0dc115ac03ec7600f0116e9ec99 Mon Sep 17 00:00:00 2001
From: Uri Simchoni <urisimchoni at gmail.com>
Date: Thu, 2 Jul 2015 20:15:43 +0300
Subject: [PATCH v2] libads: disable dns_lookup_realm in auto-generated
 krb5.conf files

This patch sets dns_lookup_realm=false in samba-generated krb5.conf.

Disabling dns_lookup_realm in krb5.conf is the recommended practice for
Kerberos usage in Active Directory environment. dns_lookup_realm is enabled
by default, at least in Heimdal.

When used by samba, Kerberos libraries operate based on either the system
krb5.conf, or a private krb5.conf generated specifically for the domain by
samba code. In the former case, it's the responsibility of the administrator
to set dns_lookup_realm=false. In the latter case, it's the responsibility
of samba - which is what this patch does.

In many usage scenarios the value of this variable is of no consequence
since samba knows the realm in which it is operating, and knows how to
generate service principal names. However, there are some scenarios
in which samba calls kerberos_get_principal_from_service_hostname(),
and here samba consults the Kerberos libraries and this parameter comes
into play. One primary example is cli_full_connection() function.

Not setting dns_lookup_realm leads to a series of DNS TXT record lookups.
This can be observed by running "net ads join -k -U <user>".

In AD environments, the TXT queries  typically fail quickly, but test setups
or misconfigured DNS may lead to large timeouts (for example, if the domain
is dept.example.com but there's no parent example.com domain and no DNS
zones for example.com). At the very least we want to avoid those lookups
because they are hardly documented and lead to confusion.

Signed-off-by: Uri Simchoni <urisimchoni at gmail.com>
---
 source3/libads/kerberos.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
index 1c2d8a2..e4bad74 100644
--- a/source3/libads/kerberos.c
+++ b/source3/libads/kerberos.c
@@ -879,7 +879,8 @@ bool create_local_private_krb5_conf_for_domain(const char *realm,
 					"[libdefaults]\n\tdefault_realm = %s\n"
 					"\tdefault_tgs_enctypes = %s RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n"
 					"\tdefault_tkt_enctypes = %s RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n"
-					"\tpreferred_enctypes = %s RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n\n"
+					"\tpreferred_enctypes = %s RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n"
+					"\tdns_lookup_realm = false\n\n"
 					"[realms]\n\t%s = {\n"
 					"%s\t}\n",
 					realm_upper, aes_enctypes, aes_enctypes, aes_enctypes,
-- 
1.9.1

More information about the samba-technical mailing list