[External] : Re: How modern Samba handle krb5?
Jiří Šašek - Solaris Prague
jiri.sasek at oracle.com
Thu Sep 21 14:55:31 UTC 2023
On 9/21/23 15:53, Andreas Schneider wrote:
> On Thursday, 21 September 2023 10:57:51 CEST Jiří Šašek - Solaris Prague via
> samba-technical wrote:
>> Many thanks for railing me back, Jiri
>
> man krb5.conf -> dns_uri_lookup
many thanks to point me there
>
> It can be set to false ... ;-)
it is set to false in (system) /etc/krb5/krb5.conf
but Samba creates own /var/samba/lock/smb_krb5/krb5.conf.SMBSETUP :
[libdefaults]
default_realm = SMBSETUP.CZECH.SUN.COM
default_tgs_enctypes = aes256-cts-hmac-sha1-96
aes128-cts-hmac-sha1-96 RC4-HMAC
default_tkt_enctypes = aes256-cts-hmac-sha1-96
aes128-cts-hmac-sha1-96 RC4-HMAC
preferred_enctypes = aes256-cts-hmac-sha1-96
aes128-cts-hmac-sha1-96 RC4-HMAC
dns_lookup_realm = false
dns_lookup_kdc = true
[realms]
SMBSETUP.CZECH.SUN.COM = {
kdc = 10.163.87.58
}
SMBSETUP = {
kdc = 10.163.87.58
}
is it possible to avoid it?
Thanks,
Jiri
>
>
> Andreas
>
>> On 9/21/23 10:53, Alexander Bokovoy wrote:
>>> On Чцв, 21 вер 2023, Jiří Šašek - Solaris Prague via samba-technical
> wrote:
>>>> Hi Experts,
>>>> While sniffing packets I have found "net ads join" and "winbindd" handles
>>>> krb5 by such strange way:
>>>>
>>>> No. Time Source Destination Protocol Info
>>>> 47 38.477244 10.163.87.117 10.163.87.58 KRB5 AS-REQ
>>>> 48 38.478496 10.163.87.58 10.163.87.117 KRB5 KRB Error:
>>>> KRB5KDC_ERR_PREAUTH_REQUIRED
>>>> 49 38.479156 10.163.87.117 10.163.87.58 DNS Standard
> query 0x439f URI
>>>> _kerberos.SMBSETUP.CZECH.SUN.COM
>>>> 50 38.479597 10.163.87.58 10.163.87.117 DNS Standard
> query response
>>>> 0x439f
>>>> No such name URI _kerberos.SMBSETUP.CZECH.SUN.COM SOA
>>>> win-lqmsb4eue0v.smbsetup.czech.sun.com
>>>> 51 38.479833 10.163.87.117 10.163.87.58 DNS Standard
> query 0x0e56 SRV
>>>> _kerberos-master._udp.SMBSETUP.CZECH.SUN.COM
>>>> 52 38.480165 10.163.87.58 10.163.87.117 DNS Standard
> query response
>>>> 0x0e56
>>>> No such name SRV _kerberos-master._udp.SMBSETUP.CZECH.SUN.COM SOA
>>>> win-lqmsb4eue0v.smbsetup.czech.sun.com
>>>> 53 38.480366 10.163.87.117 10.163.87.58 DNS Standard
> query 0x50be SRV
>>>> _kerberos-master._tcp.SMBSETUP.CZECH.SUN.COM
>>>> 54 38.480658 10.163.87.58 10.163.87.117 DNS Standard
> query response
>>>> 0x50be
>>>> No such name SRV _kerberos-master._tcp.SMBSETUP.CZECH.SUN.COM SOA
>>>> win-lqmsb4eue0v.smbsetup.czech.sun.com
>>>>
>>>> ...where Add-DnsServerResourceRecord do not support URI RR-type and also
>>>> the _kerberos-master is not commonly supported in DC. Can Samba still
>>>> work with Windows/based DC?
>>>>
>>>> Older Samba releases were able to respond on err: preauth.required by
>>>> preauthentication so I am curious why the modern Samba will fall into
>>>> such
>>>> madness in such case. Is there an option to rail even the modern Samba
>>>> back?
>>>>
>>>> Note: on Solaris I am pushed to use MIT krb5 API where my attempts to
>>>> build
>>>> Samba with Heimdal to check if it will not work breaks on conflicts with
>>>> system headers.
>>>
>>> URI-based discovery is part of MIT Kerberos handling of realm and KDC
>>> discovery. Added in MIT Kerberos 1.15 or so, in 2016, to implement what
>>> was later transformed into
>>> https://urldefense.com/v3/__https://datatracker.ietf.org/doc/html/draft-i
>>> etf-kitten-krb-service-discovery__;!!ACWV5N9M2RV99hQ!JvbS6_IjJ09-nGc1XUuY4
>>> c0iwfiGYV79OB_gjoMan2IRb2ov-cFNsdc0nJvXtsxPko2rWYKUhQ$
>>>
>>> It has nothing to do with Samba and in general Active
>>> Directory implementations do not support URI-based discovery, though
>>> they probably should, for MS-KKDCP implementations be better
>>> discoverable.
>>>
>>> We use it actively in FreeIPA.
>
>
>
More information about the samba-technical
mailing list