Re: DNS lookups with dns_lookup* = false
Quoting Jeffrey Watts jeffrey.w.wa...@gmail.com: What I've noticed is that if you use the -S option (to explicitly specify the server), 'net' seems to ignore that and use DNS instead. I've watched with the debug set to 5 and I've seen 'net' try to connect to different KDCs. I would assume that it would be good behavior if it were trying to access the -S server _first_, but its attempts seem to be purely random based on whatever is returned via DNS first. ok, so , still asking the samba list, where it is clear samba has its own behavior. see the /var/cache/samba/smb_krb5/krb5.conf.DOMAIN file for example. Then , I wanted to try how the failover would behave if the SRV _kerberos-master._udp.DOMAIN record was present. But my Active Directory admin says he has indeed the _kerberos._XX SRV record, but that he is not proposed with the choice to add a _kerberos-master. record in the AD DNS system. Has anyone stepped upon such a problem ? Andrew Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: DNS lookups with dns_lookup* = false
On 12/23/2009 11:31 AM, apmail...@free.fr wrote: Then , I wanted to try how the failover would behave if the SRV _kerberos-master._udp.DOMAIN record was present. But my Active Directory admin says he has indeed the _kerberos._XX SRV record, but that he is not proposed with the choice to add a _kerberos-master. record in the AD DNS system. Has anyone stepped upon such a problem ? AD doesn't limit the DNS SRV names that can be entered. _kerberos-master is not in the quick list but it can be typed by hand. Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: DNS lookups with dns_lookup* = false
Ok, Thank you I have posted the question to the samba list now. I don't need the dns_fallback = false option ? Andrew Quoting Jeffrey Watts jeffrey.w.wa...@gmail.com: Samba appears to disregard krb5.conf, or at least parts of it. I have the same problems with the 'net' command. Jeffrey. On Fri, Dec 4, 2009 at 8:14 AM, apmail...@free.fr wrote: Hi, I would like to continue one of the topic from this thread : http://mailman.mit.edu/pipermail/kerberos/2009-May/014982.html -8 Also, we dont use SRV/TXT for kdc/realm identification in DNS and I dont explicitly specify the dns_lookup in the krb5.conf. In this context the dns_fallback automatically gets enabled, I'm thinking. What is the consequence of dns_fallback defaulting to yes? If you don't explicitly specify KDCs for a realm, then DNS SRV records will be looked up. If you do specify the KDCs, then SRV records won't be used; only those KDCs will be used, and they'll be tried in the order you indicate in the file. 8- My configuration uses the following : dns_lookup_realm = false dns_lookup_kdc = false [realms] EXAMPLE.DOM = { kdc = 10.0.0.1:88 kdc = 10.0.0.2:88 admin_server = 10.0.0.1:749 default_domain = example.dom } but I still see the DNS lookups for SRV _kerberos-master_udp ( same with kdc = adserver1.example.dom.:88 ) To be precise, the following happens (We don't have these records in the DNS system) : ASREQ - - KRBERR PREAUTH DNS SRV _kerberos-master - - no such name ASREQ - - AS REP OK DNS SRV _kerberos-master - - no such name TGSREQ - - TGSREP DNS SRV _kerberos-master - - no such name that makes 3 DNS lookups per TGS. As I have excplicitly configured : A) dns_lookups to false B) numerical IP addresses for the KDC's I would expect dns lookups to be completely *non-existant*. Are my expectations correct, or is there something in the protocol that I missed , that would need to enforce dns lookups even if configured not to ? Or maybe I have misconfigured krb5.conf ? Why I am looking into this is because I use kerberos for AD authentication, through winbind. Our configuration (typical for an AD infrastructure) is to have 2 DC's, which are KDC's as well as DNS servers. What happens when the primary DC is unavailable is that both the primary KDC and the primary DNS are down. Timeouts summing up, the result in a default RHEL5 configuration is to have wbinto -t take 21 seconds to accomplish. (3*5s DNS timeouts + 3*2s KDC timeouts) For the moment, DNS Timeout can be lowered to 1s but not less (RH case opened) Still, I don't understand why these DNS lookups are made at all with this configuration. Could someone please explain ? (using krb5-libs-1.6.1-36.el5) -- He that would make his own liberty secure must guard even his enemy from oppression; for if he violates this duty he establishes a precedent that will reach to himself. -- Thomas Paine Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: DNS lookups with dns_lookup* = false
What I've noticed is that if you use the -S option (to explicitly specify the server), 'net' seems to ignore that and use DNS instead. I've watched with the debug set to 5 and I've seen 'net' try to connect to different KDCs. I would assume that it would be good behavior if it were trying to access the -S server _first_, but its attempts seem to be purely random based on whatever is returned via DNS first. Jeffrey. On Fri, Dec 11, 2009 at 9:41 AM, apmail...@free.fr wrote: Ok, Thank you I have posted the question to the samba list now. I don't need the dns_fallback = false option ? Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
DNS lookups with dns_lookup* = false
Hi, I would like to continue one of the topic from this thread : http://mailman.mit.edu/pipermail/kerberos/2009-May/014982.html -8 Also, we dont use SRV/TXT for kdc/realm identification in DNS and I dont explicitly specify the dns_lookup in the krb5.conf. In this context the dns_fallback automatically gets enabled, I'm thinking. What is the consequence of dns_fallback defaulting to yes? If you don't explicitly specify KDCs for a realm, then DNS SRV records will be looked up. If you do specify the KDCs, then SRV records won't be used; only those KDCs will be used, and they'll be tried in the order you indicate in the file. 8- My configuration uses the following : dns_lookup_realm = false dns_lookup_kdc = false [realms] EXAMPLE.DOM = { kdc = 10.0.0.1:88 kdc = 10.0.0.2:88 admin_server = 10.0.0.1:749 default_domain = example.dom } but I still see the DNS lookups for SRV _kerberos-master_udp ( same with kdc = adserver1.example.dom.:88 ) To be precise, the following happens (We don't have these records in the DNS system) : ASREQ - - KRBERR PREAUTH DNS SRV _kerberos-master - - no such name ASREQ - - AS REP OK DNS SRV _kerberos-master - - no such name TGSREQ - - TGSREP DNS SRV _kerberos-master - - no such name that makes 3 DNS lookups per TGS. As I have excplicitly configured : A) dns_lookups to false B) numerical IP addresses for the KDC's I would expect dns lookups to be completely *non-existant*. Are my expectations correct, or is there something in the protocol that I missed , that would need to enforce dns lookups even if configured not to ? Or maybe I have misconfigured krb5.conf ? Why I am looking into this is because I use kerberos for AD authentication, through winbind. Our configuration (typical for an AD infrastructure) is to have 2 DC's, which are KDC's as well as DNS servers. What happens when the primary DC is unavailable is that both the primary KDC and the primary DNS are down. Timeouts summing up, the result in a default RHEL5 configuration is to have wbinto -t take 21 seconds to accomplish. (3*5s DNS timeouts + 3*2s KDC timeouts) For the moment, DNS Timeout can be lowered to 1s but not less (RH case opened) Still, I don't understand why these DNS lookups are made at all with this configuration. Could someone please explain ? (using krb5-libs-1.6.1-36.el5) Regards, Andrew Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Re: DNS lookups with dns_lookup* = false
Samba appears to disregard krb5.conf, or at least parts of it. I have the same problems with the 'net' command. Jeffrey. On Fri, Dec 4, 2009 at 8:14 AM, apmail...@free.fr wrote: Hi, I would like to continue one of the topic from this thread : http://mailman.mit.edu/pipermail/kerberos/2009-May/014982.html -8 Also, we dont use SRV/TXT for kdc/realm identification in DNS and I dont explicitly specify the dns_lookup in the krb5.conf. In this context the dns_fallback automatically gets enabled, I'm thinking. What is the consequence of dns_fallback defaulting to yes? If you don't explicitly specify KDCs for a realm, then DNS SRV records will be looked up. If you do specify the KDCs, then SRV records won't be used; only those KDCs will be used, and they'll be tried in the order you indicate in the file. 8- My configuration uses the following : dns_lookup_realm = false dns_lookup_kdc = false [realms] EXAMPLE.DOM = { kdc = 10.0.0.1:88 kdc = 10.0.0.2:88 admin_server = 10.0.0.1:749 default_domain = example.dom } but I still see the DNS lookups for SRV _kerberos-master_udp ( same with kdc = adserver1.example.dom.:88 ) To be precise, the following happens (We don't have these records in the DNS system) : ASREQ - - KRBERR PREAUTH DNS SRV _kerberos-master - - no such name ASREQ - - AS REP OK DNS SRV _kerberos-master - - no such name TGSREQ - - TGSREP DNS SRV _kerberos-master - - no such name that makes 3 DNS lookups per TGS. As I have excplicitly configured : A) dns_lookups to false B) numerical IP addresses for the KDC's I would expect dns lookups to be completely *non-existant*. Are my expectations correct, or is there something in the protocol that I missed , that would need to enforce dns lookups even if configured not to ? Or maybe I have misconfigured krb5.conf ? Why I am looking into this is because I use kerberos for AD authentication, through winbind. Our configuration (typical for an AD infrastructure) is to have 2 DC's, which are KDC's as well as DNS servers. What happens when the primary DC is unavailable is that both the primary KDC and the primary DNS are down. Timeouts summing up, the result in a default RHEL5 configuration is to have wbinto -t take 21 seconds to accomplish. (3*5s DNS timeouts + 3*2s KDC timeouts) For the moment, DNS Timeout can be lowered to 1s but not less (RH case opened) Still, I don't understand why these DNS lookups are made at all with this configuration. Could someone please explain ? (using krb5-libs-1.6.1-36.el5) -- He that would make his own liberty secure must guard even his enemy from oppression; for if he violates this duty he establishes a precedent that will reach to himself. -- Thomas Paine Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos