From c404793a38507d52160fea4e3ef8d73f20593820 Mon Sep 17 00:00:00 2001 From: Uri Simchoni Date: Thu, 2 Jul 2015 20:15:43 +0300 Subject: [PATCH] libads: disable dns_lookup_realm in auto-generated krb5.conf files This patch sets dns_lookup_realm=false in samba-generated krb5.conf. Disabling dns_lookup_realm in krb5.conf is the recommended practice for Kerberos usage in Active Directory environment. dns_lookup_realm is enabled by default, at least in Heimdal. When used by samba, Kerberos libraries operate based on either the system krb5.conf, or a private krb5.conf generated specifically for the domain by samba code. In the former case, it's the responsibility of the administrator to set dns_lookup_realm=false. In the latter case, it's the responsibility of samba - which is what this patch does. In many usage scenarios the value of this variable is of no consequence since samba knows the realm in which it is operating, and knows how to generate service principal names. However, there are some scenarios in which samba calls kerberos_get_principal_from_service_hostname(), and here samba consults the Kerberos libraries and this parameter comes into play. One primary example is cli_full_connection() function. Not setting dns_lookup_realm leads to a series of DNS TXT record lookups. This can be observed by running "net ads join -k -U ". In AD environments, the TXT queries typically fail quickly, but test setups or misconfigured DNS may lead to large timeouts (for example, if the domain is dept.example.com but there's no parent example.com domain and no DNS zones for example.com). At the very least we want to avoid those lookups because they are hardly documented and lead to confusion. Signed-off-by: Uri Simchoni Reviewed-by: Stefan Metzmacher Reviewed-by: Jeremy Allison --- source3/libads/kerberos.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c index 1c2d8a25643..e4bad749286 100644 --- a/source3/libads/kerberos.c +++ b/source3/libads/kerberos.c @@ -879,7 +879,8 @@ bool create_local_private_krb5_conf_for_domain(const char *realm, "[libdefaults]\n\tdefault_realm = %s\n" "\tdefault_tgs_enctypes = %s RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n" "\tdefault_tkt_enctypes = %s RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n" - "\tpreferred_enctypes = %s RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n\n" + "\tpreferred_enctypes = %s RC4-HMAC DES-CBC-CRC DES-CBC-MD5\n" + "\tdns_lookup_realm = false\n\n" "[realms]\n\t%s = {\n" "%s\t}\n", realm_upper, aes_enctypes, aes_enctypes, aes_enctypes, -- 2.11.4.GIT