How modern Samba handle krb5?

Alexander Bokovoy ab at
Thu Sep 21 08:53:21 UTC 2023

On Чцв, 21 вер 2023, Jiří Šašek - Solaris Prague via samba-technical wrote:
> Hi Experts,
> While sniffing packets I have found "net ads join" and "winbindd" handles
> krb5 by such strange way:
> No.	Time	Source	Destination	Protocol	Info
> 47	38.477244	KRB5	AS-REQ
> 48	38.478496	KRB5	KRB Error:
> 49	38.479156	DNS	Standard query 0x439f URI
> 50	38.479597	DNS	Standard query response 0x439f
> No such name URI _kerberos.SMBSETUP.CZECH.SUN.COM SOA
> 51	38.479833	DNS	Standard query 0x0e56 SRV
> _kerberos-master._udp.SMBSETUP.CZECH.SUN.COM
> 52	38.480165	DNS	Standard query response 0x0e56
> No such name SRV _kerberos-master._udp.SMBSETUP.CZECH.SUN.COM SOA
> 53	38.480366	DNS	Standard query 0x50be SRV
> _kerberos-master._tcp.SMBSETUP.CZECH.SUN.COM
> 54	38.480658	DNS	Standard query response 0x50be
> No such name SRV _kerberos-master._tcp.SMBSETUP.CZECH.SUN.COM SOA
> ...where Add-DnsServerResourceRecord do not support URI RR-type and also the
> _kerberos-master is not commonly supported in DC. Can Samba still work with
> Windows/based DC?
> Older Samba releases were able to respond on err: preauth.required by
> preauthentication so I am curious why the modern Samba will fall into such
> madness in such case. Is there an option to rail even the modern Samba back?
> Note: on Solaris I am pushed to use MIT krb5 API where my attempts to build
> Samba with Heimdal to check if it will not work breaks on conflicts with
> system headers.

URI-based discovery is part of MIT Kerberos handling of realm and KDC
discovery. Added in MIT Kerberos 1.15 or so, in 2016, to implement what
was later transformed into

It has nothing to do with Samba and in general Active
Directory implementations do not support URI-based discovery, though
they probably should, for MS-KKDCP implementations be better

We use it actively in FreeIPA.

/ Alexander Bokovoy

More information about the samba-technical mailing list