[PATCH] libads: fixes to generation of custom krb5.conf
mat at samba.org
Sun Jun 7 12:55:11 MDT 2015
On 06/04/2015 12:09 AM, Uri Simchoni wrote:
> Attached pls find some fixes to generation of custom krb5.conf -
> libads creates this file in order to help the kerberos client libs do
> AD-aware and specifically site-aware kerberos.
> Patch 1/4 - fix indentation of kdcs in case of multiple kdcs
> Patch 2/4 - when doing SRV queries, lookup _kerberos records and not
> _ldap records. This also fixes a bug in which only KDCs of the current
> site are listed, and KDCs of site-less query are not listed
> Patch 3/4 - correctly merge lists, to avoid same IP address coming up
> twice (well, maybe this one is needed because of the 2/4 fix..)
> Patch 4/4 - make sure the "known good server" from the
> session-affinity cache always appears first in the generated krb5.conf
> Please review,
I'm a bit concerned with patch #2, you want still to have the KDC in
your site first and then the others.
Your comment says:
When building a custom krb5.conf file for a domain, an attempt is
made to get site-specific as well as site-less records, but the
search for _ldap records yields a cached site-specific result even
for the site-less query.
Did you had a look why is it so ?
If it can't be really fixed I would still prefer that we get first the KDC from the local site and then other KDC, I know products that are kerberos heavy and I would like to avoid those products querying the KDC at the other side of the globe if one is available nearby.
Also why the first call to internal_resolve_name (line 3119) is not using auto_name_type ?
More information about the samba-technical