[External] : Re: How modern Samba handle krb5?
Andreas Schneider
asn at samba.org
Thu Sep 21 13:53:46 UTC 2023
On Thursday, 21 September 2023 10:57:51 CEST Jiří Šašek - Solaris Prague via
samba-technical wrote:
> Many thanks for railing me back, Jiri
man krb5.conf -> dns_uri_lookup
It can be set to false ... ;-)
Andreas
> On 9/21/23 10:53, Alexander Bokovoy wrote:
> > On Чцв, 21 вер 2023, Jiří Šašek - Solaris Prague via samba-technical
wrote:
> >> Hi Experts,
> >> While sniffing packets I have found "net ads join" and "winbindd" handles
> >> krb5 by such strange way:
> >>
> >> No. Time Source Destination Protocol Info
> >> 47 38.477244 10.163.87.117 10.163.87.58 KRB5 AS-REQ
> >> 48 38.478496 10.163.87.58 10.163.87.117 KRB5 KRB Error:
> >> KRB5KDC_ERR_PREAUTH_REQUIRED
> >> 49 38.479156 10.163.87.117 10.163.87.58 DNS Standard
query 0x439f URI
> >> _kerberos.SMBSETUP.CZECH.SUN.COM
> >> 50 38.479597 10.163.87.58 10.163.87.117 DNS Standard
query response
> >> 0x439f
> >> No such name URI _kerberos.SMBSETUP.CZECH.SUN.COM SOA
> >> win-lqmsb4eue0v.smbsetup.czech.sun.com
> >> 51 38.479833 10.163.87.117 10.163.87.58 DNS Standard
query 0x0e56 SRV
> >> _kerberos-master._udp.SMBSETUP.CZECH.SUN.COM
> >> 52 38.480165 10.163.87.58 10.163.87.117 DNS Standard
query response
> >> 0x0e56
> >> No such name SRV _kerberos-master._udp.SMBSETUP.CZECH.SUN.COM SOA
> >> win-lqmsb4eue0v.smbsetup.czech.sun.com
> >> 53 38.480366 10.163.87.117 10.163.87.58 DNS Standard
query 0x50be SRV
> >> _kerberos-master._tcp.SMBSETUP.CZECH.SUN.COM
> >> 54 38.480658 10.163.87.58 10.163.87.117 DNS Standard
query response
> >> 0x50be
> >> No such name SRV _kerberos-master._tcp.SMBSETUP.CZECH.SUN.COM SOA
> >> win-lqmsb4eue0v.smbsetup.czech.sun.com
> >>
> >> ...where Add-DnsServerResourceRecord do not support URI RR-type and also
> >> the _kerberos-master is not commonly supported in DC. Can Samba still
> >> work with Windows/based DC?
> >>
> >> Older Samba releases were able to respond on err: preauth.required by
> >> preauthentication so I am curious why the modern Samba will fall into
> >> such
> >> madness in such case. Is there an option to rail even the modern Samba
> >> back?
> >>
> >> Note: on Solaris I am pushed to use MIT krb5 API where my attempts to
> >> build
> >> Samba with Heimdal to check if it will not work breaks on conflicts with
> >> system headers.
> >
> > URI-based discovery is part of MIT Kerberos handling of realm and KDC
> > discovery. Added in MIT Kerberos 1.15 or so, in 2016, to implement what
> > was later transformed into
> > https://urldefense.com/v3/__https://datatracker.ietf.org/doc/html/draft-i
> > etf-kitten-krb-service-discovery__;!!ACWV5N9M2RV99hQ!JvbS6_IjJ09-nGc1XUuY4
> > c0iwfiGYV79OB_gjoMan2IRb2ov-cFNsdc0nJvXtsxPko2rWYKUhQ$
> >
> > It has nothing to do with Samba and in general Active
> > Directory implementations do not support URI-based discovery, though
> > they probably should, for MS-KKDCP implementations be better
> > discoverable.
> >
> > We use it actively in FreeIPA.
More information about the samba-technical
mailing list