samba - Dec 2009 - Re :Re: dns lookups for SRV kerberos

>
>On Thu, Dec 10, 2009 at 9:21 AM,  <aplist at netcourrier.com> wrote:
> > Hi,
> >
> >
> > I have raised this question on the kerberos mailing list, but have
been
> told that Samba has it's own behavior regarding SRV lookups.
> >
> > My configuration uses the following :
> > ?dns_lookup_realm = false
> > ?dns_lookup_kdc = false
> >
> > [realms]
> > ?EXAMPLE.DOM = {
> > ?kdc = 10.0.0.1:88
> > ?kdc = 10.0.0.2:88
> > ?admin_server = 10.0.0.1:749
> > ?default_domain = example.dom
> > ?}
> >
> > but I still see the DNS lookups for SRV _kerberos-master_udp
> > ( same with kdc = adserver1.example.dom.:88 )
> >
> > To be precise, the following happens (We don't have these records
in the
> DNS
> > system) :
> >
> > ASREQ ->
> > ?<- KRBERR PREAUTH
> > DNS SRV _kerberos-master ->
> > ?<- no such name
> > ASREQ ->
> > ?<- AS REP OK
> > DNS SRV _kerberos-master ->
> > ?<- no such name
> > TGSREQ ->
> > ?<- TGSREP
> > DNS SRV _kerberos-master ->
> > ?<- no such name
> >
> > that makes 3 DNS lookups per TGS.
> >
> > As I have excplicitly configured :
> > A) dns_lookups to false
> > B) numerical IP addresses for the KDC's
> > I would expect dns lookups to be completely *non-existant*.
> > Are my expectations correct, or is there something in the protocol
that I
> missed
> > , that would need to enforce dns lookups even if configured not to ?
Or
> maybe I
> > have misconfigured krb5.conf ? It seems that Samba would not look into
> this file.
> > Can it be configured elsewhere ?
> > Same behaviour with numerical ipp addresses for "password
server"
> > Timeouts summing up, the result in a default RHEL5 configuration is to
> have
> > "wbinto -t" take 21 seconds to accomplish.
> > (3*5s DNS timeouts + 3*2s KDC timeouts)
> > For the moment, DNS Timeout can be lowered to 1s but not less.
> > using
> > krb5-libs-1.6.1-36.el5
> > samba-3.0.33-3.15.el5_4
> > on RHEL 5.4
> >
> >
> >
> > Regards,
> >
> > Andrew
 
> Interesting.  Does the samba generated cached version of krb5.conf
> have dns records?  This is an altogether different file than
> /etc/krb5.conf.
> 
> On my CentOS 5.4 box, samba caches its krb5 config here:
> /var/cache/samba/smb_krb5/krb5.conf.NETBIOSDOMAINNAME
> 
> In my experience, some of these samba generated cached entries can be
> altogether different than /etc/krb5.conf !
I didn't know about the cached version. here it is :
[libdefaults]
        default_realm = EXAMPLE.DOM
default_tgs_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5
default_tkt_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5
preferred_enctypes = RC4-HMAC DES-CBC-CRC DES-CBC-MD5

[realms]
        EXAMPLE.DOM = {
                kdc = 10.0.0.2
        kdc = 10.0.0.1
        kdc = 10.0.0.1
        }
I couldn't understand the logic in it. So I played with krb5.conf and
smb.conf a little.
It seems that this cached file, even when deleted, can be partly reconstructed
from the /var/cache/samba/gencache.tdb file :
all references to 10.0.0.2 erased in all config files , this address was still
coming up in krb5.conf.EXAMPLE
With gencache and krb5.conf.EXAMPLE deleted , it seems that samba doesn't
care about the /et/krb5.conf file at all :
- kdc are taken from smb.conf only.
- dns_lookup options not taken into account.

Finally , with theis line in smb.conf
password server = 10.0.0.2
the cached file krb5.conf.EXAMPLE "realms" paragraph became :
...
[realms]
        EXAMPLE.DOM = {
                kdc = 10.0.0.2
        }


But, puttting back the a short name dcserver1 ( which is 10.0.0.1 ) in smbconf,
it then becomes :
[realms]
        EXAMPLE.DOM = {
                kdc = 10.0.0.2
        kdc = 10.0.0.1
        kdc = 10.0.0.1
        }
Back to start !
SO it kept the 10.0.0.2 from the former smb.conf,
then added two entries for the DNS translation of dcserver1 (in smb.conf)


Does anyone know where to find precise information on :
- how the cached krb5.conf file is constructed ?
- how to prevent these SRV lookups ?


Andrew