samba - Feb 2024 - krb5.conf & kdc=, explicit vs automatic

Op 14-02-2024 om 08:22 schreef Michael Tokarev via
samba:
> 04.12.2023 14:21, Michael Tokarev via samba:
>> While playing with large number of DCs in a domain, which does not fit
>> in UDP DNS packet, I found another interesting issue.
>>
>> winbindd generates a temporary krb5.conf for each realm it uses, and
>> stores it in /run/samba/smb_krb5/krb5.conf.$REALM.? Here's a
typical
>> such config in fully-automatic mode:
>>
>> [libdefaults]
>> ?????default_realm = FOO.BAR
>> ?????default_etypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 
>> arcfour-hmac-md5
>> ?????dns_lookup_realm = false
>> ?????dns_lookup_kdc = true
>>
>> [realms]
>> ?????FOO.BAR = {
>> ???????? kdc = 10.221.1.98
>> ???????? kdc = 10.53.1.100
>> ???????? kdc = 10.45.1.100
>> ???????? kdc = 10.59.1.100
>> ?????}
>>
>> These are addresses of 4 DCs winbindd found in 
>> _ldap._tcp.dc._msdcs.FOO.BAR
>> SRV records.
>>
>> However, if I specify custom /etc/samba/krb5.conf (why it does not
>> use /etc/krb5.conf, btw?), the [realms] section of still-generated
>> temporary krb5.conf will have just *one* kdc entry.? Custom krb5.conf:
>>
>> [realms]
>> ?????FOO.BAR = {
>> ???????? kdc = dc-0.foo.bar
>> ???????? kdc = dc-1.foo.bar
>> ???????? kdc = dc-2.foo.bar
>> ???????? kdc = dc-3.foo.bar
>> ?????}
>>
>> and temporary winbind-generated /run/samba/smb_krb5/krb5.conf.FOO.BAR:
>>
>> [realms]
>> ?????FOO.BAR = {
>> ???????? kdc = 10.45.1.100
>> ?????}
>>
>> There's just one kdc entry now instead of 4 entries specified in
custom
>> krb5.conf.
>>
>> Why?? Isn't it much less reliable to have only one DC?
>
> Okay, without any reply from the Samba community, I fixed this one by
> creating a good krb5.conf file and stopping winbind from creating private
> one, by setting `create krb5 conf' to false (this setting? wasn't
easy
> to find
> for me, I had to look in sources to find it, despite it is being 
> documented).
>
> Thanks,
>
> /mjt
>
Perhaps you can workaround the issue by adding entries to /etc/hosts and 
hence override the dns-lookup with the desired values?

If you add _ldap._tcp.dc._msdcs.FOO.BAR to /etc/hosts, you can set the 
return.

Just an idea, don't know if it does the trick :-)

- Kees.

14.02.2024 12:12, Kees van Vloten via samba:
...
> Perhaps you can workaround the issue by adding entries to /etc/hosts and
hence override the dns-lookup with the desired values?
> 
> If you add _ldap._tcp.dc._msdcs.FOO.BAR to /etc/hosts, you can set the
return.
Samba needs SRV records, not A/AAAA records, and you can't store SRV in
/etc/hosts.

/mjt