problem accessing domain-based DFS with kerberos auth
Alexander Bokovoy
ab at samba.org
Fri Jan 13 12:28:45 UTC 2017
On pe, 13 tammi 2017, Aurélien Aptel wrote:
> Thanks for looking at this Alexander.
>
> Alexander Bokovoy <ab at samba.org> writes:
> > I guess it then uses the DC hostname for further communications after it
> > got the closest site's DC data in CLDAP ping response.
>
> So if I understand correctly, this is different from the insecure
> mechanism that was discussed previously [1] and is not implemented yet
> by smbclient?
>
> 1: https://lists.samba.org/archive/linux-cifs-client/2008-August/003357.html
Not entirely sure it is related.
DNS-based domain controller discovery sequence in MS-ADTS 6.3.6.1 says:
The DNS query returns a list of SRV records that match this query.
The target field of the SRV record contains the FQDN (2) of the
server.
Upon receiving the DNS query results, the client machine retrieves
the IP addresses corresponding to each server (via DNS A/AAAA
queries) and sends an LDAP ping to the retrieved addresses in
weighted random order [RFC2782]. If a server has multiple IP
addresses, the client pings all of them before pinging the next
server in the weighted random order. The client attempts the
intended protocol request to the first server address that responds
to the ping.
I think Windows client just follows the latter part, "The client
attempts the intended protocol request to the first server address that
responds to the ping". E.g. authentication is then performed against the
discovered DC name.
--
/ Alexander Bokovoy
More information about the samba-technical
mailing list