DNS lookups with dns_lookup* = false

apmailist@free.fr apmailist at free.fr
Fri Dec 4 09:14:47 EST 2009 

Hi,


I would like to continue one of the topic from this thread :
http://mailman.mit.edu/pipermail/kerberos/2009-May/014982.html

----->8--------
> Also, we dont use SRV/TXT for kdc/realm identification in DNS and I
> dont explicitly specify the dns_lookup in the krb5.conf.  In this
> context the dns_fallback automatically gets enabled, I'm thinking.
> What is the consequence of dns_fallback defaulting to yes?

If you don't explicitly specify KDCs for a realm, then DNS SRV records
will be looked up.  If you do specify the KDCs, then SRV records won't
be used; only those KDCs will be used, and they'll be tried in the
order you indicate in the file.
----8<---------


My configuration uses the following :
 dns_lookup_realm = false
 dns_lookup_kdc = false

[realms]
 EXAMPLE.DOM = {
  kdc = 10.0.0.1:88
  kdc = 10.0.0.2:88
  admin_server = 10.0.0.1:749
  default_domain = example.dom
 }

but I still see the DNS lookups for SRV _kerberos-master_udp
( same with kdc = adserver1.example.dom.:88 )

To be precise, the following happens (We don't have these records in the DNS
system) :

ASREQ 	->
	<- KRBERR PREAUTH
DNS SRV	_kerberos-master ->
			 <- no such name
ASREQ	->
	<- AS REP OK
DNS SRV	_kerberos-master ->
			 <- no such name
TGSREQ	->
	<- TGSREP
DNS SRV	_kerberos-master ->
			 <- no such name

that makes 3 DNS lookups per TGS.

As I have excplicitly configured :
A) dns_lookups to false
B) numerical IP addresses for the KDC's
I would expect dns lookups to be completely *non-existant*.
Are my expectations correct, or is there something in the protocol that I missed
, that would need to enforce dns lookups even if configured not to ? Or maybe I
have misconfigured krb5.conf ?

Why I am looking into this is because I use kerberos for AD authentication,
through winbind.
Our configuration (typical for an AD infrastructure) is to have 2 DC's, which
are KDC's as well as DNS servers.
What happens when the primary DC is unavailable is that both the primary KDC and
the primary DNS are down.
Timeouts summing up, the result in a default RHEL5 configuration is to have
"wbinto -t" take 21 seconds to accomplish.
(3*5s DNS timeouts + 3*2s KDC timeouts)
For the moment, DNS Timeout can be lowered to 1s but not less (RH case opened)

Still, I don't understand why these DNS lookups are made at all with this
configuration.
Could someone please explain ?
(using krb5-libs-1.6.1-36.el5)



Regards,

Andrew

More information about the Kerberos mailing list