[PATCH] Save some DNS and NBT name queries while joining a domain

Thu Jul 16 20:48:09 UTC 2015

On Wed, Jul 15, 2015 at 08:23:37PM +0300, Uri Simchoni wrote:
> Oops...
> Now with the patch.

Reviewed-by: Jeremy Allison <jra at samba.org>

After doing some research this seems like the right
thing to do.

Can I get a second Team reviewer ?

> On Wed, Jul 15, 2015 at 8:20 PM, Uri Simchoni <urisimchoni at gmail.com> wrote:
> > Ping...
> > Of the two patches in the original patch set, the first got pushed and
> > the second - with dns_lookup_realm=false - didn't. In this thread
> > there seems to be a general consent that it's good.
> >
> > Resubmitting just the dns_lookup_realm=false patch.
> > Thanks!
> > Uri
> >
> >
> > On Thu, Jul 9, 2015 at 1:11 AM, Stefan (metze) Metzmacher
> > <metze at samba.org> wrote:
> >> Am 08.07.2015 um 21:25 schrieb Uri Simchoni:
> >>> On Wed, Jul 8, 2015 at 11:02 AM, Stefan (metze) Metzmacher
> >>> <metze at samba.org> wrote:
> >>>> Am 08.07.2015 um 09:56 schrieb Andrew Bartlett:
> >>> <snip>
> >>>>> Adding dns_lookup_realm=false to a generated config is fine.  The
> >>>>> required TXT record isn't present in AD domains (I think I put it in
> >>>>> Samba4 at one point, but I'm not sure it is still there).
> >>>>
> >>>> Now, that we have support for domain trusts in our KDC,
> >>>> clients should be routed to the correct realm based on a hostname.
> >>>> Clients should always ask the KDC belonging to the users realm.
> >>>>
> >>>> metze
> >>>>
> >>> This patch [2/2] is indeed about canceling the TXT DNS lookup. I
> >>> believe what you are trying to say is that a client that behaves
> >>> correctly should not be asking about the realm of a server it is
> >>> trying to contact, so a client that behaves correctly does not care
> >>> about dns_lookup_realm.
> >>
> >> Yes, and adding an explicit dns_lookup_realm=false, is the correct thing
> >> to do.
> >>
> >>> AFAICT, the correct client behavior in AD environment, when looking
> >>> for a service ticket for a host, and knowing just the DNS name of the
> >>> host, is not to guess the realm, but instead to start with the known
> >>> realm of the user asking for the ticket, raise the "canonicalize"
> >>> flag, and get referred (via a returning TGT instead of the ticked
> >>> we've asked for) to the "next" KDC, until some KDC gives us the ticket
> >>> we've requested.
> >>
> >> Yes.
> >>
> >>> Continuing this line of thought - it means that
> >>> kerberos_get_principal_from_service_hostname() (which is the function
> >>> that causes the TXT queries to be generated) should not exist at all -
> >>> either you know the realm (winbindd is an example - it got it from the
> >>> trust enumeration process), or you should have AD find it for you
> >>> (based on the TGT you have which encapsulates the user's realm). All I
> >>> can say is that the patch to get rid of the TXT queries is small and
> >>> simple and it does have value until client behavior is changed into
> >>> the correct behavior.
> >>>
> >>> The TXT queries can be a pain because:
> >>> - Nobody talks of them, so if one sees them in a packet capture it may
> >>> send him barking at the wrong tree
> >>> - In misconfigured DNS, instead of quickly returning a negative answer
> >>> the request may time out, causing the join process to take a
> >>> considerable amount of time.
> >>
> >> I just agree with you that avoiding the TXT queries is the correct thing
> >> to do
> >> for samba in all cases.
> >>
> >> metze
> >>

> From 7ea0683be472b0dc115ac03ec7600f0116e9ec99 Mon Sep 17 00:00:00 2001
> From: Uri Simchoni <urisimchoni at gmail.com>
> Date: Thu, 2 Jul 2015 20:15:43 +0300
> Subject: [PATCH v2] libads: disable dns_lookup_realm in auto-generated
>  krb5.conf files
> 
> This patch sets dns_lookup_realm=false in samba-generated krb5.conf.
> 
> Disabling dns_lookup_realm in krb5.conf is the recommended practice for
> Kerberos usage in Active Directory environment. dns_lookup_realm is enabled
> by default, at least in Heimdal.
> 
> When used by samba, Kerberos libraries operate based on either the system
> krb5.conf, or a private krb5.conf generated specifically for the domain by
> samba code. In the former case, it's the responsibility of the administrator
> to set dns_lookup_realm=false. In the latter case, it's the responsibility
> of samba - which is what this patch does.
> 
> In many usage scenarios the value of this variable is of no consequence
> since samba knows the realm in which it is operating, and knows how to
> generate service principal names. However, there are some scenarios
> in which samba calls kerberos_get_principal_from_service_hostname(),
> and here samba consults the Kerberos libraries and this parameter comes
> into play. One primary example is cli_full_connection() function.
> 
> Not setting dns_lookup_realm leads to a series of DNS TXT record lookups.
> This can be observed by running "net ads join -k -U <user>".
> 
> In AD environments, the TXT queries  typically fail quickly, but test setups
> or misconfigured DNS may lead to large timeouts (for example, if the domain
> is dept.example.com but there's no parent example.com domain and no DNS
> zones for example.com). At the very least we want to avoid those lookups
> because they are hardly documented and lead to confusion.
> 
> Signed-off-by: Uri Simchoni <urisimchoni at gmail.com>
> ---
>  source3/libads/kerberos.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
> index 1c2d8a2..e4bad74 100644
> --- a/source3/libads/kerberos.c
> +++ b/source3/libads/kerberos.c
> @@ -879,7 +879,8 @@ bool create_local_private_krb5_conf_for_domain(const char *realm,
>  					"[libdefaults]\n\tdefault_realm = %s\n"
>  					"\tdefault_tgs_enctypes = %s RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n"
>  					"\tdefault_tkt_enctypes = %s RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n"
> -					"\tpreferred_enctypes = %s RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n\n"
> +					"\tpreferred_enctypes = %s RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n"
> +					"\tdns_lookup_realm = false\n\n"
>  					"[realms]\n\t%s = {\n"
>  					"%s\t}\n",
>  					realm_upper, aes_enctypes, aes_enctypes, aes_enctypes,
> -- 
> 1.9.1
> 