[PATCH] Save some DNS and NBT name queries while joining a domain

Jeremy Allison jra at samba.org
Thu Jul 16 21:01:27 UTC 2015 

On Thu, Jul 16, 2015 at 01:48:09PM -0700, Jeremy Allison wrote:
> On Wed, Jul 15, 2015 at 08:23:37PM +0300, Uri Simchoni wrote:
> > Oops...
> > Now with the patch.
> 
> Reviewed-by: Jeremy Allison <jra at samba.org>
> 
> After doing some research this seems like the right
> thing to do.
> 
> Can I get a second Team reviewer ?

Oh, looks like Metze already did ... Uri, can you confirm ?
If so I'll push :-).

> > On Wed, Jul 15, 2015 at 8:20 PM, Uri Simchoni <urisimchoni at gmail.com> wrote:
> > > Ping...
> > > Of the two patches in the original patch set, the first got pushed and
> > > the second - with dns_lookup_realm=false - didn't. In this thread
> > > there seems to be a general consent that it's good.
> > >
> > > Resubmitting just the dns_lookup_realm=false patch.
> > > Thanks!
> > > Uri
> > >
> > >
> > > On Thu, Jul 9, 2015 at 1:11 AM, Stefan (metze) Metzmacher
> > > <metze at samba.org> wrote:
> > >> Am 08.07.2015 um 21:25 schrieb Uri Simchoni:
> > >>> On Wed, Jul 8, 2015 at 11:02 AM, Stefan (metze) Metzmacher
> > >>> <metze at samba.org> wrote:
> > >>>> Am 08.07.2015 um 09:56 schrieb Andrew Bartlett:
> > >>> <snip>
> > >>>>> Adding dns_lookup_realm=false to a generated config is fine.  The
> > >>>>> required TXT record isn't present in AD domains (I think I put it in
> > >>>>> Samba4 at one point, but I'm not sure it is still there).
> > >>>>
> > >>>> Now, that we have support for domain trusts in our KDC,
> > >>>> clients should be routed to the correct realm based on a hostname.
> > >>>> Clients should always ask the KDC belonging to the users realm.
> > >>>>
> > >>>> metze
> > >>>>
> > >>> This patch [2/2] is indeed about canceling the TXT DNS lookup. I
> > >>> believe what you are trying to say is that a client that behaves
> > >>> correctly should not be asking about the realm of a server it is
> > >>> trying to contact, so a client that behaves correctly does not care
> > >>> about dns_lookup_realm.
> > >>
> > >> Yes, and adding an explicit dns_lookup_realm=false, is the correct thing
> > >> to do.
> > >>
> > >>> AFAICT, the correct client behavior in AD environment, when looking
> > >>> for a service ticket for a host, and knowing just the DNS name of the
> > >>> host, is not to guess the realm, but instead to start with the known
> > >>> realm of the user asking for the ticket, raise the "canonicalize"
> > >>> flag, and get referred (via a returning TGT instead of the ticked
> > >>> we've asked for) to the "next" KDC, until some KDC gives us the ticket
> > >>> we've requested.
> > >>
> > >> Yes.
> > >>
> > >>> Continuing this line of thought - it means that
> > >>> kerberos_get_principal_from_service_hostname() (which is the function
> > >>> that causes the TXT queries to be generated) should not exist at all -
> > >>> either you know the realm (winbindd is an example - it got it from the
> > >>> trust enumeration process), or you should have AD find it for you
> > >>> (based on the TGT you have which encapsulates the user's realm). All I
> > >>> can say is that the patch to get rid of the TXT queries is small and
> > >>> simple and it does have value until client behavior is changed into
> > >>> the correct behavior.
> > >>>
> > >>> The TXT queries can be a pain because:
> > >>> - Nobody talks of them, so if one sees them in a packet capture it may
> > >>> send him barking at the wrong tree
> > >>> - In misconfigured DNS, instead of quickly returning a negative answer
> > >>> the request may time out, causing the join process to take a
> > >>> considerable amount of time.
> > >>
> > >> I just agree with you that avoiding the TXT queries is the correct thing
> > >> to do
> > >> for samba in all cases.
> > >>
> > >> metze
> > >>
> 
> > From 7ea0683be472b0dc115ac03ec7600f0116e9ec99 Mon Sep 17 00:00:00 2001
> > From: Uri Simchoni <urisimchoni at gmail.com>
> > Date: Thu, 2 Jul 2015 20:15:43 +0300
> > Subject: [PATCH v2] libads: disable dns_lookup_realm in auto-generated
> >  krb5.conf files
> > 
> > This patch sets dns_lookup_realm=false in samba-generated krb5.conf.
> > 
> > Disabling dns_lookup_realm in krb5.conf is the recommended practice for
> > Kerberos usage in Active Directory environment. dns_lookup_realm is enabled
> > by default, at least in Heimdal.
> > 
> > When used by samba, Kerberos libraries operate based on either the system
> > krb5.conf, or a private krb5.conf generated specifically for the domain by
> > samba code. In the former case, it's the responsibility of the administrator
> > to set dns_lookup_realm=false. In the latter case, it's the responsibility
> > of samba - which is what this patch does.
> > 
> > In many usage scenarios the value of this variable is of no consequence
> > since samba knows the realm in which it is operating, and knows how to
> > generate service principal names. However, there are some scenarios
> > in which samba calls kerberos_get_principal_from_service_hostname(),
> > and here samba consults the Kerberos libraries and this parameter comes
> > into play. One primary example is cli_full_connection() function.
> > 
> > Not setting dns_lookup_realm leads to a series of DNS TXT record lookups.
> > This can be observed by running "net ads join -k -U <user>".
> > 
> > In AD environments, the TXT queries  typically fail quickly, but test setups
> > or misconfigured DNS may lead to large timeouts (for example, if the domain
> > is dept.example.com but there's no parent example.com domain and no DNS
> > zones for example.com). At the very least we want to avoid those lookups
> > because they are hardly documented and lead to confusion.
> > 
> > Signed-off-by: Uri Simchoni <urisimchoni at gmail.com>
> > ---
> >  source3/libads/kerberos.c | 3 ++-
> >  1 file changed, 2 insertions(+), 1 deletion(-)
> > 
> > diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
> > index 1c2d8a2..e4bad74 100644
> > --- a/source3/libads/kerberos.c
> > +++ b/source3/libads/kerberos.c
> > @@ -879,7 +879,8 @@ bool create_local_private_krb5_conf_for_domain(const char *realm,
> >  					"[libdefaults]\n\tdefault_realm = %s\n"
> >  					"\tdefault_tgs_enctypes = %s RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n"
> >  					"\tdefault_tkt_enctypes = %s RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n"
> > -					"\tpreferred_enctypes = %s RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n\n"
> > +					"\tpreferred_enctypes = %s RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n"
> > +					"\tdns_lookup_realm = false\n\n"
> >  					"[realms]\n\t%s = {\n"
> >  					"%s\t}\n",
> >  					realm_upper, aes_enctypes, aes_enctypes, aes_enctypes,
> > -- 
> > 1.9.1
> > 
>

More information about the samba-technical mailing list