Samba appears to disregard krb5.conf, or at least parts of it. I have the same problems with the 'net' command.
Jeffrey. On Fri, Dec 4, 2009 at 8:14 AM, <apmail...@free.fr> wrote: > > Hi, > > > I would like to continue one of the topic from this thread : > http://mailman.mit.edu/pipermail/kerberos/2009-May/014982.html > > ----->8-------- > > Also, we dont use SRV/TXT for kdc/realm identification in DNS and I > > dont explicitly specify the dns_lookup in the krb5.conf. In this > > context the dns_fallback automatically gets enabled, I'm thinking. > > What is the consequence of dns_fallback defaulting to yes? > > If you don't explicitly specify KDCs for a realm, then DNS SRV records > will be looked up. If you do specify the KDCs, then SRV records won't > be used; only those KDCs will be used, and they'll be tried in the > order you indicate in the file. > ----8<--------- > > > My configuration uses the following : > dns_lookup_realm = false > dns_lookup_kdc = false > > [realms] > EXAMPLE.DOM = { > kdc = 10.0.0.1:88 > kdc = 10.0.0.2:88 > admin_server = 10.0.0.1:749 > default_domain = example.dom > } > > but I still see the DNS lookups for SRV _kerberos-master_udp > ( same with kdc = adserver1.example.dom.:88 ) > > To be precise, the following happens (We don't have these records in the > DNS > system) : > > ASREQ -> > <- KRBERR PREAUTH > DNS SRV _kerberos-master -> > <- no such name > ASREQ -> > <- AS REP OK > DNS SRV _kerberos-master -> > <- no such name > TGSREQ -> > <- TGSREP > DNS SRV _kerberos-master -> > <- no such name > > that makes 3 DNS lookups per TGS. > > As I have excplicitly configured : > A) dns_lookups to false > B) numerical IP addresses for the KDC's > I would expect dns lookups to be completely *non-existant*. > Are my expectations correct, or is there something in the protocol that I > missed > , that would need to enforce dns lookups even if configured not to ? Or > maybe I > have misconfigured krb5.conf ? > > Why I am looking into this is because I use kerberos for AD authentication, > through winbind. > Our configuration (typical for an AD infrastructure) is to have 2 DC's, > which > are KDC's as well as DNS servers. > What happens when the primary DC is unavailable is that both the primary > KDC and > the primary DNS are down. > Timeouts summing up, the result in a default RHEL5 configuration is to have > "wbinto -t" take 21 seconds to accomplish. > (3*5s DNS timeouts + 3*2s KDC timeouts) > For the moment, DNS Timeout can be lowered to 1s but not less (RH case > opened) > > Still, I don't understand why these DNS lookups are made at all with this > configuration. > Could someone please explain ? > (using krb5-libs-1.6.1-36.el5) > > > -- "He that would make his own liberty secure must guard even his enemy from oppression; for if he violates this duty he establishes a precedent that will reach to himself." -- Thomas Paine ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos