On Sat, 2014-06-07 at 14:31 +0000, Brandon Allbery wrote: > On Sat, 2014-06-07 at 16:13 +0200, steve wrote: > > We have a Samba4 domain with some Linux clients joined under DHCP. We > > are updating their DNS records via the nsupdate facility in SSSD. All is > > fine, but the worrying issue is that the machines still function even > > with the wrong rr registered in dns. Is this correct behaviour? > > Nowhere near enough information to even guess... but Windows domains > (and therefore samba4) tend to use Kerberos principals based on the > netbios name instead of DNS name, so it's not unlikely. As to the more > unixy stuff, if the machine(s) in question aren't servers, they likely > don't care much about their DNS entries; the only common service that > does is the MTA (sendmail/postfix/etc.), and these days it's rare for > clients to run their own MTAs in anything but local queueing mode where > a hosts file entry is generally good enough. >
Thanks. The client have a keytab: host/fqdn@REALM host/hostname@REALM HOSTNAME$@REALM and a krb5.conf: [libdefaults] default_realm = ALTEA.SITE dns_lookup_realm = false dns_lookup_kdc = true Maybe that's all that is required. My point is that if it doesn't matter, we can simplify the Linux client set-ups quite a bit because we can lose the signed nsupdate stuff. Here is a login on a client at 192.168.1.22. Change the IP and it still works fine, even though it's not registered in the DNS db (maintained via bind9) on the DC. Kerberos: AS-REQ GUADALEST$@ALTEA.SITE from ipv4:192.168.1.22:55132 for krbtgt/altea.s...@altea.site Kerberos: Client sent patypes: 149 Kerberos: Looking for PKINIT pa-data -- GUADALEST$@ALTEA.SITE Kerberos: Looking for ENC-TS pa-data -- GUADALEST$@ALTEA.SITE Kerberos: No preauth found, returning PREAUTH-REQUIRED -- GUADALEST $@ALTEA.SITE Kerberos: AS-REQ GUADALEST$@ALTEA.SITE from ipv4:192.168.1.22:34322 for krbtgt/altea.s...@altea.site Kerberos: Client sent patypes: encrypted-timestamp, 149 Kerberos: Looking for PKINIT pa-data -- GUADALEST$@ALTEA.SITE Kerberos: Looking for ENC-TS pa-data -- GUADALEST$@ALTEA.SITE Kerberos: ENC-TS Pre-authentication succeeded -- GUADALEST$@ALTEA.SITE using arcfour-hmac-md5 Kerberos: AS-REQ authtime: 2014-06-07T16:59:15 starttime: unset endtime: 2014-06-08T02:59:15 renew till: 2014-06-08T16:59:14 Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, arcfour-hmac-md5, des3-cbc-sha1, 25, 26, using arcfour-hmac-md5/arcfour-hmac-md5 Kerberos: Requested flags: renewable-ok Kerberos: TGS-REQ GUADALEST$@ALTEA.SITE from ipv4:192.168.1.22:49450 for ldap/palmera.altea.s...@altea.site [canonicalize, renewable] Kerberos: TGS-REQ authtime: 2014-06-07T16:59:15 starttime: 2014-06-07T16:59:15 endtime: 2014-06-08T02:59:15 renew till: 2014-06-08T16:59:14 Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED' single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED] ldb_wrap open of secrets.ldb Kerberos: AS-REQ GUADALEST$@ALTEA.SITE from ipv4:192.168.1.22:53422 for krbtgt/altea.s...@altea.site Kerberos: Client sent patypes: 149 Kerberos: Looking for PKINIT pa-data -- GUADALEST$@ALTEA.SITE Kerberos: Looking for ENC-TS pa-data -- GUADALEST$@ALTEA.SITE Kerberos: No preauth found, returning PREAUTH-REQUIRED -- GUADALEST $@ALTEA.SITE Kerberos: AS-REQ GUADALEST$@ALTEA.SITE from ipv4:192.168.1.22:52224 for krbtgt/altea.s...@altea.site Kerberos: Client sent patypes: encrypted-timestamp, 149 Kerberos: Looking for PKINIT pa-data -- GUADALEST$@ALTEA.SITE Kerberos: Looking for ENC-TS pa-data -- GUADALEST$@ALTEA.SITE Kerberos: ENC-TS Pre-authentication succeeded -- GUADALEST$@ALTEA.SITE using arcfour-hmac-md5 Kerberos: AS-REQ authtime: 2014-06-07T16:59:21 starttime: unset endtime: 2014-06-08T02:59:21 renew till: 2014-06-08T16:59:20 Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, arcfour-hmac-md5, des3-cbc-sha1, 25, 26, using arcfour-hmac-md5/arcfour-hmac-md5 Kerberos: Requested flags: renewable-ok Kerberos: TGS-REQ GUADALEST$@ALTEA.SITE from ipv4:192.168.1.22:49452 for ldap/palmera.altea.s...@altea.site [canonicalize, renewable] Kerberos: TGS-REQ authtime: 2014-06-07T16:59:21 starttime: 2014-06-07T16:59:21 endtime: 2014-06-08T02:59:21 renew till: 2014-06-08T16:59:20 Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED' single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED] Kerberos: AS-REQ stevep\@altea.s...@altea.site from ipv4:192.168.1.22:59583 for krbtgt/altea.s...@altea.site Kerberos: Client sent patypes: 149 Kerberos: Looking for PKINIT pa-data -- stevep\@altea.s...@altea.site Kerberos: Looking for ENC-TS pa-data -- stevep\@altea.s...@altea.site Kerberos: No preauth found, returning PREAUTH-REQUIRED -- stevep \@altea.s...@altea.site Kerberos: AS-REQ stevep\@altea.s...@altea.site from ipv4:192.168.1.22:49539 for krbtgt/altea.s...@altea.site Kerberos: Client sent patypes: encrypted-timestamp, 149 Kerberos: Looking for PKINIT pa-data -- stevep\@altea.s...@altea.site Kerberos: Looking for ENC-TS pa-data -- stevep\@altea.s...@altea.site Kerberos: ENC-TS Pre-authentication succeeded -- stevep \@altea.s...@altea.site using arcfour-hmac-md5 Kerberos: AS-REQ authtime: 2014-06-07T16:59:23 starttime: unset endtime: 2014-06-08T02:59:23 renew till: 2014-06-08T16:59:23 Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, des3-cbc-sha1, arcfour-hmac-md5, 25, 26, using arcfour-hmac-md5/arcfour-hmac-md5 Kerberos: Requested flags: renewable-ok, canonicalize Kerberos: AS-REQ stevep\@altea.s...@altea.site from ipv4:192.168.1.22:49453 for krbtgt/altea.s...@altea.site Kerberos: Client sent patypes: encrypted-timestamp, 149 Kerberos: Looking for PKINIT pa-data -- stevep\@altea.s...@altea.site Kerberos: Looking for ENC-TS pa-data -- stevep\@altea.s...@altea.site Kerberos: ENC-TS Pre-authentication succeeded -- stevep \@altea.s...@altea.site using arcfour-hmac-md5 Kerberos: AS-REQ authtime: 2014-06-07T16:59:23 starttime: unset endtime: 2014-06-08T02:59:23 renew till: 2014-06-08T16:59:23 Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, des3-cbc-sha1, arcfour-hmac-md5, 25, 26, using arcfour-hmac-md5/arcfour-hmac-md5 Kerberos: Requested flags: renewable-ok, canonicalize ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos