How modern Samba handle krb5?

Alexander Bokovoy ab at samba.org
Thu Sep 21 08:53:21 UTC 2023 

On Чцв, 21 вер 2023, Jiří Šašek - Solaris Prague via samba-technical wrote:
> Hi Experts,
> While sniffing packets I have found "net ads join" and "winbindd" handles
> krb5 by such strange way:
> 
> No.	Time	Source	Destination	Protocol	Info
> 47	38.477244	10.163.87.117	10.163.87.58	KRB5	AS-REQ
> 48	38.478496	10.163.87.58	10.163.87.117	KRB5	KRB Error:
> KRB5KDC_ERR_PREAUTH_REQUIRED
> 49	38.479156	10.163.87.117	10.163.87.58	DNS	Standard query 0x439f URI
> _kerberos.SMBSETUP.CZECH.SUN.COM
> 50	38.479597	10.163.87.58	10.163.87.117	DNS	Standard query response 0x439f
> No such name URI _kerberos.SMBSETUP.CZECH.SUN.COM SOA
> win-lqmsb4eue0v.smbsetup.czech.sun.com
> 51	38.479833	10.163.87.117	10.163.87.58	DNS	Standard query 0x0e56 SRV
> _kerberos-master._udp.SMBSETUP.CZECH.SUN.COM
> 52	38.480165	10.163.87.58	10.163.87.117	DNS	Standard query response 0x0e56
> No such name SRV _kerberos-master._udp.SMBSETUP.CZECH.SUN.COM SOA
> win-lqmsb4eue0v.smbsetup.czech.sun.com
> 53	38.480366	10.163.87.117	10.163.87.58	DNS	Standard query 0x50be SRV
> _kerberos-master._tcp.SMBSETUP.CZECH.SUN.COM
> 54	38.480658	10.163.87.58	10.163.87.117	DNS	Standard query response 0x50be
> No such name SRV _kerberos-master._tcp.SMBSETUP.CZECH.SUN.COM SOA
> win-lqmsb4eue0v.smbsetup.czech.sun.com
> 
> ...where Add-DnsServerResourceRecord do not support URI RR-type and also the
> _kerberos-master is not commonly supported in DC. Can Samba still work with
> Windows/based DC?
> 
> Older Samba releases were able to respond on err: preauth.required by
> preauthentication so I am curious why the modern Samba will fall into such
> madness in such case. Is there an option to rail even the modern Samba back?
> 
> Note: on Solaris I am pushed to use MIT krb5 API where my attempts to build
> Samba with Heimdal to check if it will not work breaks on conflicts with
> system headers.

URI-based discovery is part of MIT Kerberos handling of realm and KDC
discovery. Added in MIT Kerberos 1.15 or so, in 2016, to implement what
was later transformed into https://datatracker.ietf.org/doc/html/draft-ietf-kitten-krb-service-discovery

It has nothing to do with Samba and in general Active
Directory implementations do not support URI-based discovery, though
they probably should, for MS-KKDCP implementations be better
discoverable.

We use it actively in FreeIPA.


-- 
/ Alexander Bokovoy

More information about the samba-technical mailing list