[PATCH] Save some DNS and NBT name queries while joining a domain
Uri Simchoni
urisimchoni at gmail.com
Thu Jul 16 22:07:22 UTC 2015
Well he said it's the correct thing to do (and so did Andrew Bartlett
and Andreas Schneider), but none of them used "RB" explicitly... :)
On Fri, Jul 17, 2015 at 12:01 AM, Jeremy Allison <jra at samba.org> wrote:
> On Thu, Jul 16, 2015 at 01:48:09PM -0700, Jeremy Allison wrote:
>> On Wed, Jul 15, 2015 at 08:23:37PM +0300, Uri Simchoni wrote:
>> > Oops...
>> > Now with the patch.
>>
>> Reviewed-by: Jeremy Allison <jra at samba.org>
>>
>> After doing some research this seems like the right
>> thing to do.
>>
>> Can I get a second Team reviewer ?
>
> Oh, looks like Metze already did ... Uri, can you confirm ?
> If so I'll push :-).
>
>> > On Wed, Jul 15, 2015 at 8:20 PM, Uri Simchoni <urisimchoni at gmail.com> wrote:
>> > > Ping...
>> > > Of the two patches in the original patch set, the first got pushed and
>> > > the second - with dns_lookup_realm=false - didn't. In this thread
>> > > there seems to be a general consent that it's good.
>> > >
>> > > Resubmitting just the dns_lookup_realm=false patch.
>> > > Thanks!
>> > > Uri
>> > >
>> > >
>> > > On Thu, Jul 9, 2015 at 1:11 AM, Stefan (metze) Metzmacher
>> > > <metze at samba.org> wrote:
>> > >> Am 08.07.2015 um 21:25 schrieb Uri Simchoni:
>> > >>> On Wed, Jul 8, 2015 at 11:02 AM, Stefan (metze) Metzmacher
>> > >>> <metze at samba.org> wrote:
>> > >>>> Am 08.07.2015 um 09:56 schrieb Andrew Bartlett:
>> > >>> <snip>
>> > >>>>> Adding dns_lookup_realm=false to a generated config is fine. The
>> > >>>>> required TXT record isn't present in AD domains (I think I put it in
>> > >>>>> Samba4 at one point, but I'm not sure it is still there).
>> > >>>>
>> > >>>> Now, that we have support for domain trusts in our KDC,
>> > >>>> clients should be routed to the correct realm based on a hostname.
>> > >>>> Clients should always ask the KDC belonging to the users realm.
>> > >>>>
>> > >>>> metze
>> > >>>>
>> > >>> This patch [2/2] is indeed about canceling the TXT DNS lookup. I
>> > >>> believe what you are trying to say is that a client that behaves
>> > >>> correctly should not be asking about the realm of a server it is
>> > >>> trying to contact, so a client that behaves correctly does not care
>> > >>> about dns_lookup_realm.
>> > >>
>> > >> Yes, and adding an explicit dns_lookup_realm=false, is the correct thing
>> > >> to do.
>> > >>
>> > >>> AFAICT, the correct client behavior in AD environment, when looking
>> > >>> for a service ticket for a host, and knowing just the DNS name of the
>> > >>> host, is not to guess the realm, but instead to start with the known
>> > >>> realm of the user asking for the ticket, raise the "canonicalize"
>> > >>> flag, and get referred (via a returning TGT instead of the ticked
>> > >>> we've asked for) to the "next" KDC, until some KDC gives us the ticket
>> > >>> we've requested.
>> > >>
>> > >> Yes.
>> > >>
>> > >>> Continuing this line of thought - it means that
>> > >>> kerberos_get_principal_from_service_hostname() (which is the function
>> > >>> that causes the TXT queries to be generated) should not exist at all -
>> > >>> either you know the realm (winbindd is an example - it got it from the
>> > >>> trust enumeration process), or you should have AD find it for you
>> > >>> (based on the TGT you have which encapsulates the user's realm). All I
>> > >>> can say is that the patch to get rid of the TXT queries is small and
>> > >>> simple and it does have value until client behavior is changed into
>> > >>> the correct behavior.
>> > >>>
>> > >>> The TXT queries can be a pain because:
>> > >>> - Nobody talks of them, so if one sees them in a packet capture it may
>> > >>> send him barking at the wrong tree
>> > >>> - In misconfigured DNS, instead of quickly returning a negative answer
>> > >>> the request may time out, causing the join process to take a
>> > >>> considerable amount of time.
>> > >>
>> > >> I just agree with you that avoiding the TXT queries is the correct thing
>> > >> to do
>> > >> for samba in all cases.
>> > >>
>> > >> metze
>> > >>
>>
>> > From 7ea0683be472b0dc115ac03ec7600f0116e9ec99 Mon Sep 17 00:00:00 2001
>> > From: Uri Simchoni <urisimchoni at gmail.com>
>> > Date: Thu, 2 Jul 2015 20:15:43 +0300
>> > Subject: [PATCH v2] libads: disable dns_lookup_realm in auto-generated
>> > krb5.conf files
>> >
>> > This patch sets dns_lookup_realm=false in samba-generated krb5.conf.
>> >
>> > Disabling dns_lookup_realm in krb5.conf is the recommended practice for
>> > Kerberos usage in Active Directory environment. dns_lookup_realm is enabled
>> > by default, at least in Heimdal.
>> >
>> > When used by samba, Kerberos libraries operate based on either the system
>> > krb5.conf, or a private krb5.conf generated specifically for the domain by
>> > samba code. In the former case, it's the responsibility of the administrator
>> > to set dns_lookup_realm=false. In the latter case, it's the responsibility
>> > of samba - which is what this patch does.
>> >
>> > In many usage scenarios the value of this variable is of no consequence
>> > since samba knows the realm in which it is operating, and knows how to
>> > generate service principal names. However, there are some scenarios
>> > in which samba calls kerberos_get_principal_from_service_hostname(),
>> > and here samba consults the Kerberos libraries and this parameter comes
>> > into play. One primary example is cli_full_connection() function.
>> >
>> > Not setting dns_lookup_realm leads to a series of DNS TXT record lookups.
>> > This can be observed by running "net ads join -k -U <user>".
>> >
>> > In AD environments, the TXT queries typically fail quickly, but test setups
>> > or misconfigured DNS may lead to large timeouts (for example, if the domain
>> > is dept.example.com but there's no parent example.com domain and no DNS
>> > zones for example.com). At the very least we want to avoid those lookups
>> > because they are hardly documented and lead to confusion.
>> >
>> > Signed-off-by: Uri Simchoni <urisimchoni at gmail.com>
>> > ---
>> > source3/libads/kerberos.c | 3 ++-
>> > 1 file changed, 2 insertions(+), 1 deletion(-)
>> >
>> > diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
>> > index 1c2d8a2..e4bad74 100644
>> > --- a/source3/libads/kerberos.c
>> > +++ b/source3/libads/kerberos.c
>> > @@ -879,7 +879,8 @@ bool create_local_private_krb5_conf_for_domain(const char *realm,
>> > "[libdefaults]\n\tdefault_realm = %s\n"
>> > "\tdefault_tgs_enctypes = %s RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n"
>> > "\tdefault_tkt_enctypes = %s RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n"
>> > - "\tpreferred_enctypes = %s RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n\n"
>> > + "\tpreferred_enctypes = %s RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n"
>> > + "\tdns_lookup_realm = false\n\n"
>> > "[realms]\n\t%s = {\n"
>> > "%s\t}\n",
>> > realm_upper, aes_enctypes, aes_enctypes, aes_enctypes,
>> > --
>> > 1.9.1
>> >
>>
More information about the samba-technical
mailing list