[PATCH] libads: fixes to generation of custom krb5.conf

Matthieu Patou mat at samba.org
Sun Jun 7 12:55:11 MDT 2015

On 06/04/2015 12:09 AM, Uri Simchoni wrote:
> Hi,
> Attached pls find some fixes to generation of custom krb5.conf -
> libads creates this file in order to help the kerberos client libs do
> AD-aware and specifically site-aware kerberos.
> Patch 1/4 - fix indentation of kdcs in case of multiple kdcs
> Patch 2/4 - when doing SRV queries, lookup _kerberos records and not
> _ldap records. This also fixes a bug in which only KDCs of the current
> site are listed, and KDCs of site-less query are not listed
> Patch 3/4 - correctly merge lists, to avoid same IP address coming up
> twice (well, maybe this one is needed because of the 2/4 fix..)
> Patch 4/4 - make sure the "known good server" from the
> session-affinity cache always appears first in the generated krb5.conf
> file.
> Please review,
> Uri.
I'm a bit concerned with patch #2, you want still to have the KDC in 
your site first and then the others.
Your comment says:

When building a custom krb5.conf file for a domain, an attempt is
   made to get site-specific as well as site-less records, but the
   search for _ldap records yields a cached site-specific result even
   for the site-less query.

Did you had a look why is it so ?
If it can't be really fixed I would still prefer that we get first the KDC from the local site and then other KDC, I know products that are kerberos heavy and I would like to avoid those products querying the KDC at the other side of the globe if one is available nearby.

Also why the first call to internal_resolve_name (line 3119) is not using auto_name_type ?

Matthieu Patou
Samba Team

More information about the samba-technical mailing list