How modern Samba handle krb5?
Alexander Bokovoy
ab at samba.org
Thu Sep 21 08:53:21 UTC 2023
On Чцв, 21 вер 2023, Jiří Šašek - Solaris Prague via samba-technical wrote:
> Hi Experts,
> While sniffing packets I have found "net ads join" and "winbindd" handles
> krb5 by such strange way:
>
> No. Time Source Destination Protocol Info
> 47 38.477244 10.163.87.117 10.163.87.58 KRB5 AS-REQ
> 48 38.478496 10.163.87.58 10.163.87.117 KRB5 KRB Error:
> KRB5KDC_ERR_PREAUTH_REQUIRED
> 49 38.479156 10.163.87.117 10.163.87.58 DNS Standard query 0x439f URI
> _kerberos.SMBSETUP.CZECH.SUN.COM
> 50 38.479597 10.163.87.58 10.163.87.117 DNS Standard query response 0x439f
> No such name URI _kerberos.SMBSETUP.CZECH.SUN.COM SOA
> win-lqmsb4eue0v.smbsetup.czech.sun.com
> 51 38.479833 10.163.87.117 10.163.87.58 DNS Standard query 0x0e56 SRV
> _kerberos-master._udp.SMBSETUP.CZECH.SUN.COM
> 52 38.480165 10.163.87.58 10.163.87.117 DNS Standard query response 0x0e56
> No such name SRV _kerberos-master._udp.SMBSETUP.CZECH.SUN.COM SOA
> win-lqmsb4eue0v.smbsetup.czech.sun.com
> 53 38.480366 10.163.87.117 10.163.87.58 DNS Standard query 0x50be SRV
> _kerberos-master._tcp.SMBSETUP.CZECH.SUN.COM
> 54 38.480658 10.163.87.58 10.163.87.117 DNS Standard query response 0x50be
> No such name SRV _kerberos-master._tcp.SMBSETUP.CZECH.SUN.COM SOA
> win-lqmsb4eue0v.smbsetup.czech.sun.com
>
> ...where Add-DnsServerResourceRecord do not support URI RR-type and also the
> _kerberos-master is not commonly supported in DC. Can Samba still work with
> Windows/based DC?
>
> Older Samba releases were able to respond on err: preauth.required by
> preauthentication so I am curious why the modern Samba will fall into such
> madness in such case. Is there an option to rail even the modern Samba back?
>
> Note: on Solaris I am pushed to use MIT krb5 API where my attempts to build
> Samba with Heimdal to check if it will not work breaks on conflicts with
> system headers.
URI-based discovery is part of MIT Kerberos handling of realm and KDC
discovery. Added in MIT Kerberos 1.15 or so, in 2016, to implement what
was later transformed into https://datatracker.ietf.org/doc/html/draft-ietf-kitten-krb-service-discovery
It has nothing to do with Samba and in general Active
Directory implementations do not support URI-based discovery, though
they probably should, for MS-KKDCP implementations be better
discoverable.
We use it actively in FreeIPA.
--
/ Alexander Bokovoy
More information about the samba-technical
mailing list