[Samba] krb5.conf & kdc=, explicit vs automatic
Michael Tokarev
mjt at tls.msk.ru
Mon Dec 4 11:21:19 UTC 2023
While playing with large number of DCs in a domain, which does not fit
in UDP DNS packet, I found another interesting issue.
winbindd generates a temporary krb5.conf for each realm it uses, and
stores it in /run/samba/smb_krb5/krb5.conf.$REALM. Here's a typical
such config in fully-automatic mode:
libdefaults]
default_realm = RGS.RU
default_etypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 arcfour-hmac-md5
dns_lookup_realm = false
dns_lookup_kdc = true
[realms]
FOO.BAR = {
kdc = 10.221.1.98
kdc = 10.53.1.100
kdc = 10.45.1.100
kdc = 10.59.1.100
}
These are addresses of 4 DCs winbindd found in _ldap._tcp.dc._msdcs.FOO.BAR
SRV records.
However, if I specify custom /etc/samba/krb5.conf (why it does not
use /etc/krb5.conf, btw?), the [realms] section of still-generated
temporary krb5.conf will have just *one* kdc entry. Custom krb5.conf:
[realms]
FOO.BAR = {
kdc = dc-0.foo.bar
kdc = dc-1.foo.bar
kdc = dc-2.foo.bar
kdc = dc-3.foo.bar
}
and temporary winbind-generated /run/samba/smb_krb5/krb5.conf.FOO.BAR:
[realms]
FOO.BAR = {
kdc = 10.45.1.100
}
There's just one kdc entry now instead of 4 entries specified in custom
krb5.conf.
Why? Isn't it much less reliable to have only one DC?
Thanks,
/mjt
More information about the samba
mailing list