DNS lookups with dns_lookup* = false

Fri Dec 4 10:31:59 EST 2009

Samba appears to disregard krb5.conf, or at least parts of it.  I have the
same problems with the 'net' command.

Jeffrey.

On Fri, Dec 4, 2009 at 8:14 AM, <apmailist at free.fr> wrote:

>
> Hi,
>
>
> I would like to continue one of the topic from this thread :
> http://mailman.mit.edu/pipermail/kerberos/2009-May/014982.html
>
> ----->8--------
> > Also, we dont use SRV/TXT for kdc/realm identification in DNS and I
> > dont explicitly specify the dns_lookup in the krb5.conf.  In this
> > context the dns_fallback automatically gets enabled, I'm thinking.
> > What is the consequence of dns_fallback defaulting to yes?
>
> If you don't explicitly specify KDCs for a realm, then DNS SRV records
> will be looked up.  If you do specify the KDCs, then SRV records won't
> be used; only those KDCs will be used, and they'll be tried in the
> order you indicate in the file.
> ----8<---------
>
>
> My configuration uses the following :
>  dns_lookup_realm = false
>  dns_lookup_kdc = false
>
> [realms]
>  EXAMPLE.DOM = {
>  kdc = 10.0.0.1:88
>  kdc = 10.0.0.2:88
>  admin_server = 10.0.0.1:749
>  default_domain = example.dom
>  }
>
> but I still see the DNS lookups for SRV _kerberos-master_udp
> ( same with kdc = adserver1.example.dom.:88 )
>
> To be precise, the following happens (We don't have these records in the
> DNS
> system) :
>
> ASREQ   ->
>        <- KRBERR PREAUTH
> DNS SRV _kerberos-master ->
>                         <- no such name
> ASREQ   ->
>        <- AS REP OK
> DNS SRV _kerberos-master ->
>                         <- no such name
> TGSREQ  ->
>        <- TGSREP
> DNS SRV _kerberos-master ->
>                         <- no such name
>
> that makes 3 DNS lookups per TGS.
>
> As I have excplicitly configured :
> A) dns_lookups to false
> B) numerical IP addresses for the KDC's
> I would expect dns lookups to be completely *non-existant*.
> Are my expectations correct, or is there something in the protocol that I
> missed
> , that would need to enforce dns lookups even if configured not to ? Or
> maybe I
> have misconfigured krb5.conf ?
>
> Why I am looking into this is because I use kerberos for AD authentication,
> through winbind.
> Our configuration (typical for an AD infrastructure) is to have 2 DC's,
> which
> are KDC's as well as DNS servers.
> What happens when the primary DC is unavailable is that both the primary
> KDC and
> the primary DNS are down.
> Timeouts summing up, the result in a default RHEL5 configuration is to have
> "wbinto -t" take 21 seconds to accomplish.
> (3*5s DNS timeouts + 3*2s KDC timeouts)
> For the moment, DNS Timeout can be lowered to 1s but not less (RH case
> opened)
>
> Still, I don't understand why these DNS lookups are made at all with this
> configuration.
> Could someone please explain ?
> (using krb5-libs-1.6.1-36.el5)
>
>
>
-- 

"He that would make his own liberty secure must guard even his enemy from
oppression; for if he violates this duty he establishes a precedent that
will reach to himself." -- Thomas Paine