On Thu, Dec 10, 2009 at 9:21 AM, <aplist at netcourrier.com>
wrote:> Hi,
>
>
> I have raised this question on the kerberos mailing list, but have been
told that Samba has it's own behavior regarding SRV lookups.
>
> My configuration uses the following :
> ?dns_lookup_realm = false
> ?dns_lookup_kdc = false
>
> [realms]
> ?EXAMPLE.DOM = {
> ?kdc = 10.0.0.1:88
> ?kdc = 10.0.0.2:88
> ?admin_server = 10.0.0.1:749
> ?default_domain = example.dom
> ?}
>
> but I still see the DNS lookups for SRV _kerberos-master_udp
> ( same with kdc = adserver1.example.dom.:88 )
>
> To be precise, the following happens (We don't have these records in
the DNS
> system) :
>
> ASREQ ->
> ?<- KRBERR PREAUTH
> DNS SRV _kerberos-master ->
> ?<- no such name
> ASREQ ->
> ?<- AS REP OK
> DNS SRV _kerberos-master ->
> ?<- no such name
> TGSREQ ->
> ?<- TGSREP
> DNS SRV _kerberos-master ->
> ?<- no such name
>
> that makes 3 DNS lookups per TGS.
>
> As I have excplicitly configured :
> A) dns_lookups to false
> B) numerical IP addresses for the KDC's
> I would expect dns lookups to be completely *non-existant*.
> Are my expectations correct, or is there something in the protocol that I
missed
> , that would need to enforce dns lookups even if configured not to ? Or
maybe I
> have misconfigured krb5.conf ? It seems that Samba would not look into this
file.
> Can it be configured elsewhere ?
> Same behaviour with numerical ipp addresses for "password server"
>
>
> Why I am looking into this is because I use kerberos for AD authentication,
> through winbind.
> Our configuration (typical for an AD infrastructure) is to have 2 DC's,
which
> are KDC's as well as DNS servers.
> What happens when the primary DC is unavailable is that both the primary
KDC and
> the primary DNS are down.
> Timeouts summing up, the result in a default RHEL5 configuration is to have
> "wbinto -t" take 21 seconds to accomplish.
> (3*5s DNS timeouts + 3*2s KDC timeouts)
> For the moment, DNS Timeout can be lowered to 1s but not less.
>
> Still, I don't understand why these DNS lookups are made at all with
this
> configuration.
> Has anyone an explanation ?
>
> using
> krb5-libs-1.6.1-36.el5
> samba-3.0.33-3.15.el5_4
> on RHEL 5.4
>
>
>
> Regards,
>
> Andrew
>
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: ?https://lists.samba.org/mailman/options/samba
>
Interesting. Does the samba generated cached version of krb5.conf
have dns records? This is an altogether different file than
/etc/krb5.conf.
On my CentOS 5.4 box, samba caches its krb5 config here:
/var/cache/samba/smb_krb5/krb5.conf.NETBIOSDOMAINNAME
In my experience, some of these samba generated cached entries can be
altogether different than /etc/krb5.conf !