04.12.2023 14:21, Michael Tokarev via samba:> While playing with large number of DCs in a domain, which does not fit
> in UDP DNS packet, I found another interesting issue.
>
> winbindd generates a temporary krb5.conf for each realm it uses, and
> stores it in /run/samba/smb_krb5/krb5.conf.$REALM.? Here's a typical
> such config in fully-automatic mode:
>
> [libdefaults]
> ????default_realm = FOO.BAR
> ????default_etypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
arcfour-hmac-md5
> ????dns_lookup_realm = false
> ????dns_lookup_kdc = true
>
> [realms]
> ????FOO.BAR = {
> ??????? kdc = 10.221.1.98
> ??????? kdc = 10.53.1.100
> ??????? kdc = 10.45.1.100
> ??????? kdc = 10.59.1.100
> ????}
>
> These are addresses of 4 DCs winbindd found in _ldap._tcp.dc._msdcs.FOO.BAR
> SRV records.
>
> However, if I specify custom /etc/samba/krb5.conf (why it does not
> use /etc/krb5.conf, btw?), the [realms] section of still-generated
> temporary krb5.conf will have just *one* kdc entry.? Custom krb5.conf:
>
> [realms]
> ????FOO.BAR = {
> ??????? kdc = dc-0.foo.bar
> ??????? kdc = dc-1.foo.bar
> ??????? kdc = dc-2.foo.bar
> ??????? kdc = dc-3.foo.bar
> ????}
>
> and temporary winbind-generated /run/samba/smb_krb5/krb5.conf.FOO.BAR:
>
> [realms]
> ????FOO.BAR = {
> ??????? kdc = 10.45.1.100
> ????}
>
> There's just one kdc entry now instead of 4 entries specified in custom
> krb5.conf.
>
> Why?? Isn't it much less reliable to have only one DC?
Okay, without any reply from the Samba community, I fixed this one by
creating a good krb5.conf file and stopping winbind from creating private
one, by setting `create krb5 conf' to false (this setting wasn't easy
to find
for me, I had to look in sources to find it, despite it is being documented).
Thanks,
/mjt