Hi,
I would like to continue one of the topic from this thread : http://mailman.mit.edu/pipermail/kerberos/2009-May/014982.html ----->8-------- > Also, we dont use SRV/TXT for kdc/realm identification in DNS and I > dont explicitly specify the dns_lookup in the krb5.conf. In this > context the dns_fallback automatically gets enabled, I'm thinking. > What is the consequence of dns_fallback defaulting to yes? If you don't explicitly specify KDCs for a realm, then DNS SRV records will be looked up. If you do specify the KDCs, then SRV records won't be used; only those KDCs will be used, and they'll be tried in the order you indicate in the file. ----8<--------- My configuration uses the following : dns_lookup_realm = false dns_lookup_kdc = false [realms] EXAMPLE.DOM = { kdc = 10.0.0.1:88 kdc = 10.0.0.2:88 admin_server = 10.0.0.1:749 default_domain = example.dom } but I still see the DNS lookups for SRV _kerberos-master_udp ( same with kdc = adserver1.example.dom.:88 ) To be precise, the following happens (We don't have these records in the DNS system) : ASREQ -> <- KRBERR PREAUTH DNS SRV _kerberos-master -> <- no such name ASREQ -> <- AS REP OK DNS SRV _kerberos-master -> <- no such name TGSREQ -> <- TGSREP DNS SRV _kerberos-master -> <- no such name that makes 3 DNS lookups per TGS. As I have excplicitly configured : A) dns_lookups to false B) numerical IP addresses for the KDC's I would expect dns lookups to be completely *non-existant*. Are my expectations correct, or is there something in the protocol that I missed , that would need to enforce dns lookups even if configured not to ? Or maybe I have misconfigured krb5.conf ? Why I am looking into this is because I use kerberos for AD authentication, through winbind. Our configuration (typical for an AD infrastructure) is to have 2 DC's, which are KDC's as well as DNS servers. What happens when the primary DC is unavailable is that both the primary KDC and the primary DNS are down. Timeouts summing up, the result in a default RHEL5 configuration is to have "wbinto -t" take 21 seconds to accomplish. (3*5s DNS timeouts + 3*2s KDC timeouts) For the moment, DNS Timeout can be lowered to 1s but not less (RH case opened) Still, I don't understand why these DNS lookups are made at all with this configuration. Could someone please explain ? (using krb5-libs-1.6.1-36.el5) Regards, Andrew ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
