[External] : Re: How modern Samba handle krb5?
Jiří Šašek - Solaris Prague
jiri.sasek at oracle.com
Thu Sep 21 08:57:51 UTC 2023
Many thanks for railing me back, Jiri
On 9/21/23 10:53, Alexander Bokovoy wrote:
> On Чцв, 21 вер 2023, Jiří Šašek - Solaris Prague via samba-technical wrote:
>> Hi Experts,
>> While sniffing packets I have found "net ads join" and "winbindd" handles
>> krb5 by such strange way:
>> No. Time Source Destination Protocol Info
>> 47 38.477244 10.163.87.117 10.163.87.58 KRB5 AS-REQ
>> 48 38.478496 10.163.87.58 10.163.87.117 KRB5 KRB Error:
>> 49 38.479156 10.163.87.117 10.163.87.58 DNS Standard query 0x439f URI
>> 50 38.479597 10.163.87.58 10.163.87.117 DNS Standard query response 0x439f
>> No such name URI _kerberos.SMBSETUP.CZECH.SUN.COM SOA
>> 51 38.479833 10.163.87.117 10.163.87.58 DNS Standard query 0x0e56 SRV
>> 52 38.480165 10.163.87.58 10.163.87.117 DNS Standard query response 0x0e56
>> No such name SRV _kerberos-master._udp.SMBSETUP.CZECH.SUN.COM SOA
>> 53 38.480366 10.163.87.117 10.163.87.58 DNS Standard query 0x50be SRV
>> 54 38.480658 10.163.87.58 10.163.87.117 DNS Standard query response 0x50be
>> No such name SRV _kerberos-master._tcp.SMBSETUP.CZECH.SUN.COM SOA
>> ...where Add-DnsServerResourceRecord do not support URI RR-type and also the
>> _kerberos-master is not commonly supported in DC. Can Samba still work with
>> Windows/based DC?
>> Older Samba releases were able to respond on err: preauth.required by
>> preauthentication so I am curious why the modern Samba will fall into such
>> madness in such case. Is there an option to rail even the modern Samba back?
>> Note: on Solaris I am pushed to use MIT krb5 API where my attempts to build
>> Samba with Heimdal to check if it will not work breaks on conflicts with
>> system headers.
> URI-based discovery is part of MIT Kerberos handling of realm and KDC
> discovery. Added in MIT Kerberos 1.15 or so, in 2016, to implement what
> was later transformed into https://urldefense.com/v3/__https://datatracker.ietf.org/doc/html/draft-ietf-kitten-krb-service-discovery__;!!ACWV5N9M2RV99hQ!JvbS6_IjJ09-nGc1XUuY4c0iwfiGYV79OB_gjoMan2IRb2ov-cFNsdc0nJvXtsxPko2rWYKUhQ$
> It has nothing to do with Samba and in general Active
> Directory implementations do not support URI-based discovery, though
> they probably should, for MS-KKDCP implementations be better
> We use it actively in FreeIPA.
More information about the samba-technical