[Samba] Massive DNS queries to _kerberos._tcp.dc._msdcs.DOMAIN, COM.
Rowland Penny
rpenny at samba.org
Wed Jul 10 18:05:36 UTC 2024
On Wed, 10 Jul 2024 17:34:01 +0000
Eric Gurevitz via samba <samba at lists.samba.org> wrote:
> Hi All,
>
> Our DNS admins are complaining about a massive number of DNS queries
> to :
>
> SRV? _kerberos._tcp.dc._msdcs.DOMAIN,COM.
There is a possibility that you may have shot yourself in the foot.
Is 'DOMAIN.COM' your companies dns domain ?
Or is actually something like 'AD.DOMAIN.COM' ?
Whatever, your dns admins shouldn't be seeing these, they should be
forwarding everything for the Active Directory dns domain to a Samba DC.
>
> This is happening on thousands of systems. I see that every time the
> query is done, winbind updates
> /var/run/samba/smb_krb5/krb5.conf.DOMAIN (Ubuntu location).
Just checked on of my DCs (not on Ubuntu) and it was last changed
on the 6th May
>
> I found adding "create krb5 conf = no" stops the DNS queries and the
> updates to the krb5.conf.DOMAIN file.
>
>
>
> Are there any downsides to disabling the custom krb5 conf that
> winbind is creating and relying on the /etc/krb5.conf that our
> Kerberos admins install? Why is it updating every few seconds?
>
Not if /etc/krb5.conf is created correctly, see the smb.conf manpage
for more details.
Rowland
More information about the samba
mailing list