How modern Samba handle krb5?

Jiří Šašek - Solaris Prague jiri.sasek at oracle.com
Thu Sep 21 07:19:38 UTC 2023


Hi Experts,
While sniffing packets I have found "net ads join" and "winbindd" 
handles krb5 by such strange way:

No.	Time	Source	Destination	Protocol	Info
47	38.477244	10.163.87.117	10.163.87.58	KRB5	AS-REQ
48	38.478496	10.163.87.58	10.163.87.117	KRB5	KRB Error: 
KRB5KDC_ERR_PREAUTH_REQUIRED
49	38.479156	10.163.87.117	10.163.87.58	DNS	Standard query 0x439f URI 
_kerberos.SMBSETUP.CZECH.SUN.COM
50	38.479597	10.163.87.58	10.163.87.117	DNS	Standard query response 
0x439f No such name URI _kerberos.SMBSETUP.CZECH.SUN.COM SOA 
win-lqmsb4eue0v.smbsetup.czech.sun.com
51	38.479833	10.163.87.117	10.163.87.58	DNS	Standard query 0x0e56 SRV 
_kerberos-master._udp.SMBSETUP.CZECH.SUN.COM
52	38.480165	10.163.87.58	10.163.87.117	DNS	Standard query response 
0x0e56 No such name SRV _kerberos-master._udp.SMBSETUP.CZECH.SUN.COM SOA 
win-lqmsb4eue0v.smbsetup.czech.sun.com
53	38.480366	10.163.87.117	10.163.87.58	DNS	Standard query 0x50be SRV 
_kerberos-master._tcp.SMBSETUP.CZECH.SUN.COM
54	38.480658	10.163.87.58	10.163.87.117	DNS	Standard query response 
0x50be No such name SRV _kerberos-master._tcp.SMBSETUP.CZECH.SUN.COM SOA 
win-lqmsb4eue0v.smbsetup.czech.sun.com

...where Add-DnsServerResourceRecord do not support URI RR-type and also 
the _kerberos-master is not commonly supported in DC. Can Samba still 
work with Windows/based DC?

Older Samba releases were able to respond on err: preauth.required by 
preauthentication so I am curious why the modern Samba will fall into 
such madness in such case. Is there an option to rail even the modern 
Samba back?

Note: on Solaris I am pushed to use MIT krb5 API where my attempts to 
build Samba with Heimdal to check if it will not work breaks on 
conflicts with system headers.

Many thanks,
Jiri



More information about the samba-technical mailing list