samba - Jul 2024 - Massive DNS queries to _kerberos._tcp.dc._msdcs.DOMAIN, COM.

Hi All,

Our DNS admins are complaining about a massive number of DNS queries to :

SRV? _kerberos._tcp.dc._msdcs.DOMAIN,COM.

This is happening on thousands of systems. I see that every time the query is
done, winbind updates /var/run/samba/smb_krb5/krb5.conf.DOMAIN (Ubuntu
location).

I found adding "create krb5 conf = no" stops the DNS queries and the
updates to the krb5.conf.DOMAIN file.



Are there any downsides to disabling the custom krb5 conf that winbind is
creating and relying on the /etc/krb5.conf that our Kerberos admins install? Why
is it updating every few seconds?

Thank you,
Eric


Eric Gurevitz
IT Engineer, Sr Staff| EMEA EngIT | +972-52-593-7432

On Wed, 10 Jul 2024 17:34:01 +0000
Eric Gurevitz via samba <samba at lists.samba.org> wrote:
> Hi All,
> 
> Our DNS admins are complaining about a massive number of DNS queries
> to :
> 
> SRV? _kerberos._tcp.dc._msdcs.DOMAIN,COM.
There is a possibility that you may have shot yourself in the foot.
Is 'DOMAIN.COM' your companies dns domain ?
Or is actually something like 'AD.DOMAIN.COM' ?

Whatever, your dns admins shouldn't be seeing these, they should be
forwarding everything for the Active Directory dns domain to a Samba DC.
> 
> This is happening on thousands of systems. I see that every time the
> query is done, winbind updates
> /var/run/samba/smb_krb5/krb5.conf.DOMAIN (Ubuntu location).
Just checked on of my DCs (not on Ubuntu) and it was last changed
on the 6th May
> 
> I found adding "create krb5 conf = no" stops the DNS queries and
the
> updates to the krb5.conf.DOMAIN file.
> 
> 
> 
> Are there any downsides to disabling the custom krb5 conf that
> winbind is creating and relying on the /etc/krb5.conf that our
> Kerberos admins install? Why is it updating every few seconds?
> 
Not if /etc/krb5.conf is created correctly, see the smb.conf manpage
for more details.

Rowland