[Samba] Massive DNS queries to _kerberos._tcp.dc._msdcs.DOMAIN, COM.

Eric Gurevitz gurevitz at qti.qualcomm.com
Wed Jul 10 18:25:58 UTC 2024 

Hi Rowland,

Domains are na.domain.com and eu, ap, etc depending on server location. The queries are going to the Dns servers, not ad controllers.

The dcs are windows and I'm working on the Linux domain members.

I'm any case, using krb5.conf from our Kerberos admins sounds like a good plan.

Eric

Get Outlook for Android<https://aka.ms/AAb9ysg>
________________________________
From: samba <samba-bounces at lists.samba.org> on behalf of Rowland Penny via samba <samba at lists.samba.org>
Sent: Wednesday, July 10, 2024 9:05:36 PM
To: samba at lists.samba.org <samba at lists.samba.org>
Cc: Rowland Penny <rpenny at samba.org>
Subject: Re: [Samba] Massive DNS queries to _kerberos._tcp.dc._msdcs.DOMAIN, COM.

WARNING: This email originated from outside of Qualcomm. Please be wary of any links or attachments, and do not enable macros.

On Wed, 10 Jul 2024 17:34:01 +0000
Eric Gurevitz via samba <samba at lists.samba.org> wrote:

> Hi All,
>
> Our DNS admins are complaining about a massive number of DNS queries
> to :
>
> SRV? _kerberos._tcp.dc._msdcs.DOMAIN,COM.

There is a possibility that you may have shot yourself in the foot.
Is 'DOMAIN.COM' your companies dns domain ?
Or is actually something like 'AD.DOMAIN.COM' ?

Whatever, your dns admins shouldn't be seeing these, they should be
forwarding everything for the Active Directory dns domain to a Samba DC.

>
> This is happening on thousands of systems. I see that every time the
> query is done, winbind updates
> /var/run/samba/smb_krb5/krb5.conf.DOMAIN (Ubuntu location).

Just checked on of my DCs (not on Ubuntu) and it was last changed
on the 6th May

>
> I found adding "create krb5 conf = no" stops the DNS queries and the
> updates to the krb5.conf.DOMAIN file.
>
>
>
> Are there any downsides to disabling the custom krb5 conf that
> winbind is creating and relying on the /etc/krb5.conf that our
> Kerberos admins install? Why is it updating every few seconds?
>

Not if /etc/krb5.conf is created correctly, see the smb.conf manpage
for more details.

Rowland

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list