Ok, Thank you I have posted the question to the samba list now. I don't need the "dns_fallback = false" option ?
Andrew Quoting Jeffrey Watts <[email protected]>: > Samba appears to disregard krb5.conf, or at least parts of it. I have the > same problems with the 'net' command. > > Jeffrey. > > On Fri, Dec 4, 2009 at 8:14 AM, <[email protected]> wrote: > > > > > Hi, > > > > > > I would like to continue one of the topic from this thread : > > http://mailman.mit.edu/pipermail/kerberos/2009-May/014982.html > > > > ----->8-------- > > > Also, we dont use SRV/TXT for kdc/realm identification in DNS and I > > > dont explicitly specify the dns_lookup in the krb5.conf. In this > > > context the dns_fallback automatically gets enabled, I'm thinking. > > > What is the consequence of dns_fallback defaulting to yes? > > > > If you don't explicitly specify KDCs for a realm, then DNS SRV records > > will be looked up. If you do specify the KDCs, then SRV records won't > > be used; only those KDCs will be used, and they'll be tried in the > > order you indicate in the file. > > ----8<--------- > > > > > > My configuration uses the following : > > dns_lookup_realm = false > > dns_lookup_kdc = false > > > > [realms] > > EXAMPLE.DOM = { > > kdc = 10.0.0.1:88 > > kdc = 10.0.0.2:88 > > admin_server = 10.0.0.1:749 > > default_domain = example.dom > > } > > > > but I still see the DNS lookups for SRV _kerberos-master_udp > > ( same with kdc = adserver1.example.dom.:88 ) > > > > To be precise, the following happens (We don't have these records in the > > DNS > > system) : > > > > ASREQ -> > > <- KRBERR PREAUTH > > DNS SRV _kerberos-master -> > > <- no such name > > ASREQ -> > > <- AS REP OK > > DNS SRV _kerberos-master -> > > <- no such name > > TGSREQ -> > > <- TGSREP > > DNS SRV _kerberos-master -> > > <- no such name > > > > that makes 3 DNS lookups per TGS. > > > > As I have excplicitly configured : > > A) dns_lookups to false > > B) numerical IP addresses for the KDC's > > I would expect dns lookups to be completely *non-existant*. > > Are my expectations correct, or is there something in the protocol that I > > missed > > , that would need to enforce dns lookups even if configured not to ? Or > > maybe I > > have misconfigured krb5.conf ? > > > > Why I am looking into this is because I use kerberos for AD authentication, > > through winbind. > > Our configuration (typical for an AD infrastructure) is to have 2 DC's, > > which > > are KDC's as well as DNS servers. > > What happens when the primary DC is unavailable is that both the primary > > KDC and > > the primary DNS are down. > > Timeouts summing up, the result in a default RHEL5 configuration is to have > > "wbinto -t" take 21 seconds to accomplish. > > (3*5s DNS timeouts + 3*2s KDC timeouts) > > For the moment, DNS Timeout can be lowered to 1s but not less (RH case > > opened) > > > > Still, I don't understand why these DNS lookups are made at all with this > > configuration. > > Could someone please explain ? > > (using krb5-libs-1.6.1-36.el5) > > > > > > > -- > > "He that would make his own liberty secure must guard even his enemy from > oppression; for if he violates this duty he establishes a precedent that > will reach to himself." -- Thomas Paine > ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
