DNS lookups with dns_lookup* = false

apmailist@free.fr apmailist at free.fr
Fri Dec 11 10:41:57 EST 2009


Ok,

Thank you
I have posted the question to the samba list now.
I don't need the "dns_fallback = false" option ?


Andrew


Quoting Jeffrey Watts <jeffrey.w.watts at gmail.com>:

> Samba appears to disregard krb5.conf, or at least parts of it.  I have the
> same problems with the 'net' command.
>
> Jeffrey.
>
> On Fri, Dec 4, 2009 at 8:14 AM, <apmailist at free.fr> wrote:
>
> >
> > Hi,
> >
> >
> > I would like to continue one of the topic from this thread :
> > http://mailman.mit.edu/pipermail/kerberos/2009-May/014982.html
> >
> > ----->8--------
> > > Also, we dont use SRV/TXT for kdc/realm identification in DNS and I
> > > dont explicitly specify the dns_lookup in the krb5.conf.  In this
> > > context the dns_fallback automatically gets enabled, I'm thinking.
> > > What is the consequence of dns_fallback defaulting to yes?
> >
> > If you don't explicitly specify KDCs for a realm, then DNS SRV records
> > will be looked up.  If you do specify the KDCs, then SRV records won't
> > be used; only those KDCs will be used, and they'll be tried in the
> > order you indicate in the file.
> > ----8<---------
> >
> >
> > My configuration uses the following :
> >  dns_lookup_realm = false
> >  dns_lookup_kdc = false
> >
> > [realms]
> >  EXAMPLE.DOM = {
> >  kdc = 10.0.0.1:88
> >  kdc = 10.0.0.2:88
> >  admin_server = 10.0.0.1:749
> >  default_domain = example.dom
> >  }
> >
> > but I still see the DNS lookups for SRV _kerberos-master_udp
> > ( same with kdc = adserver1.example.dom.:88 )
> >
> > To be precise, the following happens (We don't have these records in the
> > DNS
> > system) :
> >
> > ASREQ   ->
> >        <- KRBERR PREAUTH
> > DNS SRV _kerberos-master ->
> >                         <- no such name
> > ASREQ   ->
> >        <- AS REP OK
> > DNS SRV _kerberos-master ->
> >                         <- no such name
> > TGSREQ  ->
> >        <- TGSREP
> > DNS SRV _kerberos-master ->
> >                         <- no such name
> >
> > that makes 3 DNS lookups per TGS.
> >
> > As I have excplicitly configured :
> > A) dns_lookups to false
> > B) numerical IP addresses for the KDC's
> > I would expect dns lookups to be completely *non-existant*.
> > Are my expectations correct, or is there something in the protocol that I
> > missed
> > , that would need to enforce dns lookups even if configured not to ? Or
> > maybe I
> > have misconfigured krb5.conf ?
> >
> > Why I am looking into this is because I use kerberos for AD authentication,
> > through winbind.
> > Our configuration (typical for an AD infrastructure) is to have 2 DC's,
> > which
> > are KDC's as well as DNS servers.
> > What happens when the primary DC is unavailable is that both the primary
> > KDC and
> > the primary DNS are down.
> > Timeouts summing up, the result in a default RHEL5 configuration is to have
> > "wbinto -t" take 21 seconds to accomplish.
> > (3*5s DNS timeouts + 3*2s KDC timeouts)
> > For the moment, DNS Timeout can be lowered to 1s but not less (RH case
> > opened)
> >
> > Still, I don't understand why these DNS lookups are made at all with this
> > configuration.
> > Could someone please explain ?
> > (using krb5-libs-1.6.1-36.el5)
> >
> >
> >
> --
>
> "He that would make his own liberty secure must guard even his enemy from
> oppression; for if he violates this duty he establishes a precedent that
> will reach to himself." -- Thomas Paine
>





More information about the Kerberos mailing list