How modern Samba handle krb5?
Jiří Šašek - Solaris Prague
jiri.sasek at oracle.com
Thu Sep 21 07:19:38 UTC 2023
Hi Experts,
While sniffing packets I have found "net ads join" and "winbindd"
handles krb5 by such strange way:
No. Time Source Destination Protocol Info
47 38.477244 10.163.87.117 10.163.87.58 KRB5 AS-REQ
48 38.478496 10.163.87.58 10.163.87.117 KRB5 KRB Error:
KRB5KDC_ERR_PREAUTH_REQUIRED
49 38.479156 10.163.87.117 10.163.87.58 DNS Standard query 0x439f URI
_kerberos.SMBSETUP.CZECH.SUN.COM
50 38.479597 10.163.87.58 10.163.87.117 DNS Standard query response
0x439f No such name URI _kerberos.SMBSETUP.CZECH.SUN.COM SOA
win-lqmsb4eue0v.smbsetup.czech.sun.com
51 38.479833 10.163.87.117 10.163.87.58 DNS Standard query 0x0e56 SRV
_kerberos-master._udp.SMBSETUP.CZECH.SUN.COM
52 38.480165 10.163.87.58 10.163.87.117 DNS Standard query response
0x0e56 No such name SRV _kerberos-master._udp.SMBSETUP.CZECH.SUN.COM SOA
win-lqmsb4eue0v.smbsetup.czech.sun.com
53 38.480366 10.163.87.117 10.163.87.58 DNS Standard query 0x50be SRV
_kerberos-master._tcp.SMBSETUP.CZECH.SUN.COM
54 38.480658 10.163.87.58 10.163.87.117 DNS Standard query response
0x50be No such name SRV _kerberos-master._tcp.SMBSETUP.CZECH.SUN.COM SOA
win-lqmsb4eue0v.smbsetup.czech.sun.com
...where Add-DnsServerResourceRecord do not support URI RR-type and also
the _kerberos-master is not commonly supported in DC. Can Samba still
work with Windows/based DC?
Older Samba releases were able to respond on err: preauth.required by
preauthentication so I am curious why the modern Samba will fall into
such madness in such case. Is there an option to rail even the modern
Samba back?
Note: on Solaris I am pushed to use MIT krb5 API where my attempts to
build Samba with Heimdal to check if it will not work breaks on
conflicts with system headers.
Many thanks,
Jiri
More information about the samba-technical
mailing list