samba - Dec 2009 - dns lookups for SRV kerberos

Hi,


I have raised this question on the kerberos mailing list, but have been told
that Samba has it's own behavior regarding SRV lookups.

My configuration uses the following :
 dns_lookup_realm = false
 dns_lookup_kdc = false

[realms]
 EXAMPLE.DOM = {
  kdc = 10.0.0.1:88
  kdc = 10.0.0.2:88
  admin_server = 10.0.0.1:749
  default_domain = example.dom
 }

but I still see the DNS lookups for SRV _kerberos-master_udp
( same with kdc = adserver1.example.dom.:88 )

To be precise, the following happens (We don't have these records in the DNS
system) :

ASREQ ->
 <- KRBERR PREAUTH
DNS SRV _kerberos-master ->
  <- no such name
ASREQ ->
 <- AS REP OK
DNS SRV _kerberos-master ->
  <- no such name
TGSREQ ->
 <- TGSREP
DNS SRV _kerberos-master ->
  <- no such name

that makes 3 DNS lookups per TGS.

As I have excplicitly configured :
A) dns_lookups to false
B) numerical IP addresses for the KDC's
I would expect dns lookups to be completely *non-existant*.
Are my expectations correct, or is there something in the protocol that I missed
, that would need to enforce dns lookups even if configured not to ? Or maybe I
have misconfigured krb5.conf ? It seems that Samba would not look into this
file.
Can it be configured elsewhere ?
Same behaviour with numerical ipp addresses for "password server"


Why I am looking into this is because I use kerberos for AD authentication,
through winbind.
Our configuration (typical for an AD infrastructure) is to have 2 DC's,
which
are KDC's as well as DNS servers.
What happens when the primary DC is unavailable is that both the primary KDC and
the primary DNS are down.
Timeouts summing up, the result in a default RHEL5 configuration is to have
"wbinto -t" take 21 seconds to accomplish.
(3*5s DNS timeouts + 3*2s KDC timeouts)
For the moment, DNS Timeout can be lowered to 1s but not less.

Still, I don't understand why these DNS lookups are made at all with this
configuration.
Has anyone an explanation ?

using 
krb5-libs-1.6.1-36.el5
samba-3.0.33-3.15.el5_4
on RHEL 5.4



Regards,

Andrew

On Thu, Dec 10, 2009 at 9:21 AM,  <aplist at netcourrier.com>
wrote:
> Hi,
>
>
> I have raised this question on the kerberos mailing list, but have been
told that Samba has it's own behavior regarding SRV lookups.
>
> My configuration uses the following :
> ?dns_lookup_realm = false
> ?dns_lookup_kdc = false
>
> [realms]
> ?EXAMPLE.DOM = {
> ?kdc = 10.0.0.1:88
> ?kdc = 10.0.0.2:88
> ?admin_server = 10.0.0.1:749
> ?default_domain = example.dom
> ?}
>
> but I still see the DNS lookups for SRV _kerberos-master_udp
> ( same with kdc = adserver1.example.dom.:88 )
>
> To be precise, the following happens (We don't have these records in
the DNS
> system) :
>
> ASREQ ->
> ?<- KRBERR PREAUTH
> DNS SRV _kerberos-master ->
> ?<- no such name
> ASREQ ->
> ?<- AS REP OK
> DNS SRV _kerberos-master ->
> ?<- no such name
> TGSREQ ->
> ?<- TGSREP
> DNS SRV _kerberos-master ->
> ?<- no such name
>
> that makes 3 DNS lookups per TGS.
>
> As I have excplicitly configured :
> A) dns_lookups to false
> B) numerical IP addresses for the KDC's
> I would expect dns lookups to be completely *non-existant*.
> Are my expectations correct, or is there something in the protocol that I
missed
> , that would need to enforce dns lookups even if configured not to ? Or
maybe I
> have misconfigured krb5.conf ? It seems that Samba would not look into this
file.
> Can it be configured elsewhere ?
> Same behaviour with numerical ipp addresses for "password server"
>
>
> Why I am looking into this is because I use kerberos for AD authentication,
> through winbind.
> Our configuration (typical for an AD infrastructure) is to have 2 DC's,
which
> are KDC's as well as DNS servers.
> What happens when the primary DC is unavailable is that both the primary
KDC and
> the primary DNS are down.
> Timeouts summing up, the result in a default RHEL5 configuration is to have
> "wbinto -t" take 21 seconds to accomplish.
> (3*5s DNS timeouts + 3*2s KDC timeouts)
> For the moment, DNS Timeout can be lowered to 1s but not less.
>
> Still, I don't understand why these DNS lookups are made at all with
this
> configuration.
> Has anyone an explanation ?
>
> using
> krb5-libs-1.6.1-36.el5
> samba-3.0.33-3.15.el5_4
> on RHEL 5.4
>
>
>
> Regards,
>
> Andrew
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: ?https://lists.samba.org/mailman/options/samba
>
Interesting.  Does the samba generated cached version of krb5.conf
have dns records?  This is an altogether different file than
/etc/krb5.conf.

On my CentOS 5.4 box, samba caches its krb5 config here:
/var/cache/samba/smb_krb5/krb5.conf.NETBIOSDOMAINNAME

In my experience, some of these samba generated cached entries can be
altogether different than /etc/krb5.conf !