dns lookups for SRV kerberos
in [Samba]
|
From: Rob Townley on 15 Dec 2009 18:40 On Thu, Dec 10, 2009 at 9:21 AM, <aplist(a)netcourrier.com> wrote: > Hi, > > > I have raised this question on the kerberos mailing list, but have been told that Samba has it's own behavior regarding SRV lookups. > > My configuration uses the following : > dns_lookup_realm = false > dns_lookup_kdc = false > > [realms] > EXAMPLE.DOM = { > kdc = 10.0.0.1:88 > kdc = 10.0.0.2:88 > admin_server = 10.0.0.1:749 > default_domain = example.dom > } > > but I still see the DNS lookups for SRV _kerberos-master_udp > ( same with kdc = adserver1.example.dom.:88 ) > > To be precise, the following happens (We don't have these records in the DNS > system) : > > ASREQ -> > <- KRBERR PREAUTH > DNS SRV _kerberos-master -> > <- no such name > ASREQ -> > <- AS REP OK > DNS SRV _kerberos-master -> > <- no such name > TGSREQ -> > <- TGSREP > DNS SRV _kerberos-master -> > <- no such name > > that makes 3 DNS lookups per TGS. > > As I have excplicitly configured : > A) dns_lookups to false > B) numerical IP addresses for the KDC's > I would expect dns lookups to be completely *non-existant*. > Are my expectations correct, or is there something in the protocol that I missed > , that would need to enforce dns lookups even if configured not to ? Or maybe I > have misconfigured krb5.conf ? It seems that Samba would not look into this file. > Can it be configured elsewhere ? > Same behaviour with numerical ipp addresses for "password server" > > > Why I am looking into this is because I use kerberos for AD authentication, > through winbind. > Our configuration (typical for an AD infrastructure) is to have 2 DC's, which > are KDC's as well as DNS servers. > What happens when the primary DC is unavailable is that both the primary KDC and > the primary DNS are down. > Timeouts summing up, the result in a default RHEL5 configuration is to have > "wbinto -t" take 21 seconds to accomplish. > (3*5s DNS timeouts + 3*2s KDC timeouts) > For the moment, DNS Timeout can be lowered to 1s but not less. > > Still, I don't understand why these DNS lookups are made at all with this > configuration. > Has anyone an explanation ? > > using > krb5-libs-1.6.1-36.el5 > samba-3.0.33-3.15.el5_4 > on RHEL 5.4 > > > > Regards, > > Andrew > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > Interesting. Does the samba generated cached version of krb5.conf have dns records? This is an altogether different file than /etc/krb5.conf. On my CentOS 5.4 box, samba caches its krb5 config here: /var/cache/samba/smb_krb5/krb5.conf.NETBIOSDOMAINNAME In my experience, some of these samba generated cached entries can be altogether different than /etc/krb5.conf ! -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
|
Pages: 1 Prev: [Samba] samba with full audit and trash Next: samba4 size |