[Samba] dns lookups for SRV kerberos

aplist at netcourrier.com aplist at netcourrier.com
Thu Dec 10 08:21:24 MST 2009 

Hi,


I have raised this question on the kerberos mailing list, but have been told that Samba has it's own behavior regarding SRV lookups.

My configuration uses the following :
 dns_lookup_realm = false
 dns_lookup_kdc = false

[realms]
 EXAMPLE.DOM = {
  kdc = 10.0.0.1:88
  kdc = 10.0.0.2:88
  admin_server = 10.0.0.1:749
  default_domain = example.dom
 }

but I still see the DNS lookups for SRV _kerberos-master_udp
( same with kdc = adserver1.example.dom.:88 )

To be precise, the following happens (We don't have these records in the DNS
system) :

ASREQ ->
 <- KRBERR PREAUTH
DNS SRV _kerberos-master ->
  <- no such name
ASREQ ->
 <- AS REP OK
DNS SRV _kerberos-master ->
  <- no such name
TGSREQ ->
 <- TGSREP
DNS SRV _kerberos-master ->
  <- no such name

that makes 3 DNS lookups per TGS.

As I have excplicitly configured :
A) dns_lookups to false
B) numerical IP addresses for the KDC's
I would expect dns lookups to be completely *non-existant*.
Are my expectations correct, or is there something in the protocol that I missed
, that would need to enforce dns lookups even if configured not to ? Or maybe I
have misconfigured krb5.conf ? It seems that Samba would not look into this file. 
Can it be configured elsewhere ?
Same behaviour with numerical ipp addresses for "password server"


Why I am looking into this is because I use kerberos for AD authentication,
through winbind.
Our configuration (typical for an AD infrastructure) is to have 2 DC's, which
are KDC's as well as DNS servers.
What happens when the primary DC is unavailable is that both the primary KDC and
the primary DNS are down.
Timeouts summing up, the result in a default RHEL5 configuration is to have
"wbinto -t" take 21 seconds to accomplish.
(3*5s DNS timeouts + 3*2s KDC timeouts)
For the moment, DNS Timeout can be lowered to 1s but not less.

Still, I don't understand why these DNS lookups are made at all with this
configuration.
Has anyone an explanation ?

using 
krb5-libs-1.6.1-36.el5
samba-3.0.33-3.15.el5_4
on RHEL 5.4



Regards,

Andrew

More information about the samba mailing list