[Samba] dns lookups for SRV kerberos

Rob Townley rob.townley at gmail.com
Tue Dec 15 16:33:51 MST 2009 

On Thu, Dec 10, 2009 at 9:21 AM,  <aplist at netcourrier.com> wrote:
> Hi,
>
>
> I have raised this question on the kerberos mailing list, but have been told that Samba has it's own behavior regarding SRV lookups.
>
> My configuration uses the following :
>  dns_lookup_realm = false
>  dns_lookup_kdc = false
>
> [realms]
>  EXAMPLE.DOM = {
>  kdc = 10.0.0.1:88
>  kdc = 10.0.0.2:88
>  admin_server = 10.0.0.1:749
>  default_domain = example.dom
>  }
>
> but I still see the DNS lookups for SRV _kerberos-master_udp
> ( same with kdc = adserver1.example.dom.:88 )
>
> To be precise, the following happens (We don't have these records in the DNS
> system) :
>
> ASREQ ->
>  <- KRBERR PREAUTH
> DNS SRV _kerberos-master ->
>  <- no such name
> ASREQ ->
>  <- AS REP OK
> DNS SRV _kerberos-master ->
>  <- no such name
> TGSREQ ->
>  <- TGSREP
> DNS SRV _kerberos-master ->
>  <- no such name
>
> that makes 3 DNS lookups per TGS.
>
> As I have excplicitly configured :
> A) dns_lookups to false
> B) numerical IP addresses for the KDC's
> I would expect dns lookups to be completely *non-existant*.
> Are my expectations correct, or is there something in the protocol that I missed
> , that would need to enforce dns lookups even if configured not to ? Or maybe I
> have misconfigured krb5.conf ? It seems that Samba would not look into this file.
> Can it be configured elsewhere ?
> Same behaviour with numerical ipp addresses for "password server"
>
>
> Why I am looking into this is because I use kerberos for AD authentication,
> through winbind.
> Our configuration (typical for an AD infrastructure) is to have 2 DC's, which
> are KDC's as well as DNS servers.
> What happens when the primary DC is unavailable is that both the primary KDC and
> the primary DNS are down.
> Timeouts summing up, the result in a default RHEL5 configuration is to have
> "wbinto -t" take 21 seconds to accomplish.
> (3*5s DNS timeouts + 3*2s KDC timeouts)
> For the moment, DNS Timeout can be lowered to 1s but not less.
>
> Still, I don't understand why these DNS lookups are made at all with this
> configuration.
> Has anyone an explanation ?
>
> using
> krb5-libs-1.6.1-36.el5
> samba-3.0.33-3.15.el5_4
> on RHEL 5.4
>
>
>
> Regards,
>
> Andrew
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

Interesting.  Does the samba generated cached version of krb5.conf
have dns records?  This is an altogether different file than
/etc/krb5.conf.

On my CentOS 5.4 box, samba caches its krb5 config here:
/var/cache/samba/smb_krb5/krb5.conf.NETBIOSDOMAINNAME

In my experience, some of these samba generated cached entries can be
altogether different than /etc/krb5.conf !

More information about the samba mailing list