04.12.2023 14:21, Michael Tokarev via samba:> While playing with large number of DCs in a domain, which does not fit > in UDP DNS packet, I found another interesting issue. > > winbindd generates a temporary krb5.conf for each realm it uses, and > stores it in /run/samba/smb_krb5/krb5.conf.$REALM.? Here's a typical > such config in fully-automatic mode: > > [libdefaults] > ????default_realm = FOO.BAR > ????default_etypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 arcfour-hmac-md5 > ????dns_lookup_realm = false > ????dns_lookup_kdc = true > > [realms] > ????FOO.BAR = { > ??????? kdc = 10.221.1.98 > ??????? kdc = 10.53.1.100 > ??????? kdc = 10.45.1.100 > ??????? kdc = 10.59.1.100 > ????} > > These are addresses of 4 DCs winbindd found in _ldap._tcp.dc._msdcs.FOO.BAR > SRV records. > > However, if I specify custom /etc/samba/krb5.conf (why it does not > use /etc/krb5.conf, btw?), the [realms] section of still-generated > temporary krb5.conf will have just *one* kdc entry.? Custom krb5.conf: > > [realms] > ????FOO.BAR = { > ??????? kdc = dc-0.foo.bar > ??????? kdc = dc-1.foo.bar > ??????? kdc = dc-2.foo.bar > ??????? kdc = dc-3.foo.bar > ????} > > and temporary winbind-generated /run/samba/smb_krb5/krb5.conf.FOO.BAR: > > [realms] > ????FOO.BAR = { > ??????? kdc = 10.45.1.100 > ????} > > There's just one kdc entry now instead of 4 entries specified in custom > krb5.conf. > > Why?? Isn't it much less reliable to have only one DC?Okay, without any reply from the Samba community, I fixed this one by creating a good krb5.conf file and stopping winbind from creating private one, by setting `create krb5 conf' to false (this setting wasn't easy to find for me, I had to look in sources to find it, despite it is being documented). Thanks, /mjt
14.02.2024 10:22, Michael Tokarev via samba:> > Okay, without any reply from the Samba community, I fixed this one by > creating a good krb5.conf file and stopping winbind from creating private > one, by setting `create krb5 conf' to false (this setting? wasn't easy to find > for me, I had to look in sources to find it, despite it is being documented).Actually this still doesn't work due to a related bug, https://bugzilla.samba.org/show_bug.cgi?id=15536 So for now, I ended up in a really weird configuration. This host is running named to provide DNS for the LAN clients. But due to Bug#15536, wibind does not work. This is why I tried to explicitly list KDCs in krb5.conf, so winbind does not use DNS to get the KDC. So in local resolv.conf, I specify two *windows* nameservers which use this host as a forwarder. So local programs get DNS info from a nearby windows nameserver which asks named running on this host for an answer. This looks like an idiocy but it at least works :) I'm looking at running samba in a separate container with its own resolv.conf pointing at the windows nameservers, so at least all other programs on the same host can use local named.. :) FWIW. /mjt
Op 14-02-2024 om 08:22 schreef Michael Tokarev via samba:> 04.12.2023 14:21, Michael Tokarev via samba: >> While playing with large number of DCs in a domain, which does not fit >> in UDP DNS packet, I found another interesting issue. >> >> winbindd generates a temporary krb5.conf for each realm it uses, and >> stores it in /run/samba/smb_krb5/krb5.conf.$REALM.? Here's a typical >> such config in fully-automatic mode: >> >> [libdefaults] >> ?????default_realm = FOO.BAR >> ?????default_etypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 >> arcfour-hmac-md5 >> ?????dns_lookup_realm = false >> ?????dns_lookup_kdc = true >> >> [realms] >> ?????FOO.BAR = { >> ???????? kdc = 10.221.1.98 >> ???????? kdc = 10.53.1.100 >> ???????? kdc = 10.45.1.100 >> ???????? kdc = 10.59.1.100 >> ?????} >> >> These are addresses of 4 DCs winbindd found in >> _ldap._tcp.dc._msdcs.FOO.BAR >> SRV records. >> >> However, if I specify custom /etc/samba/krb5.conf (why it does not >> use /etc/krb5.conf, btw?), the [realms] section of still-generated >> temporary krb5.conf will have just *one* kdc entry.? Custom krb5.conf: >> >> [realms] >> ?????FOO.BAR = { >> ???????? kdc = dc-0.foo.bar >> ???????? kdc = dc-1.foo.bar >> ???????? kdc = dc-2.foo.bar >> ???????? kdc = dc-3.foo.bar >> ?????} >> >> and temporary winbind-generated /run/samba/smb_krb5/krb5.conf.FOO.BAR: >> >> [realms] >> ?????FOO.BAR = { >> ???????? kdc = 10.45.1.100 >> ?????} >> >> There's just one kdc entry now instead of 4 entries specified in custom >> krb5.conf. >> >> Why?? Isn't it much less reliable to have only one DC? > > Okay, without any reply from the Samba community, I fixed this one by > creating a good krb5.conf file and stopping winbind from creating private > one, by setting `create krb5 conf' to false (this setting? wasn't easy > to find > for me, I had to look in sources to find it, despite it is being > documented). > > Thanks, > > /mjt >Perhaps you can workaround the issue by adding entries to /etc/hosts and hence override the dns-lookup with the desired values? If you add _ldap._tcp.dc._msdcs.FOO.BAR to /etc/hosts, you can set the return. Just an idea, don't know if it does the trick :-) - Kees.