mirror of
https://github.com/samba-team/samba.git
synced 2024-12-27 03:21:53 +03:00
c404793a38
This patch sets dns_lookup_realm=false in samba-generated krb5.conf. Disabling dns_lookup_realm in krb5.conf is the recommended practice for Kerberos usage in Active Directory environment. dns_lookup_realm is enabled by default, at least in Heimdal. When used by samba, Kerberos libraries operate based on either the system krb5.conf, or a private krb5.conf generated specifically for the domain by samba code. In the former case, it's the responsibility of the administrator to set dns_lookup_realm=false. In the latter case, it's the responsibility of samba - which is what this patch does. In many usage scenarios the value of this variable is of no consequence since samba knows the realm in which it is operating, and knows how to generate service principal names. However, there are some scenarios in which samba calls kerberos_get_principal_from_service_hostname(), and here samba consults the Kerberos libraries and this parameter comes into play. One primary example is cli_full_connection() function. Not setting dns_lookup_realm leads to a series of DNS TXT record lookups. This can be observed by running "net ads join -k -U <user>". In AD environments, the TXT queries typically fail quickly, but test setups or misconfigured DNS may lead to large timeouts (for example, if the domain is dept.example.com but there's no parent example.com domain and no DNS zones for example.com). At the very least we want to avoid those lookups because they are hardly documented and lead to confusion. Signed-off-by: Uri Simchoni <urisimchoni@gmail.com> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> |
||
|---|---|---|
| .. | ||
| ads_ldap_protos.h | ||
| ads_proto.h | ||
| ads_status.c | ||
| ads_status.h | ||
| ads_struct.c | ||
| authdata.c | ||
| cldap.c | ||
| cldap.h | ||
| disp_sec.c | ||
| kerberos_keytab.c | ||
| kerberos_proto.h | ||
| kerberos_util.c | ||
| kerberos.c | ||
| krb5_errs.c | ||
| krb5_setpw.c | ||
| ldap_printer.c | ||
| ldap_schema.c | ||
| ldap_schema.h | ||
| ldap_user.c | ||
| ldap_utils.c | ||
| ldap.c | ||
| ndr.c | ||
| sasl_wrapping.c | ||
| sasl.c | ||
| sitename_cache.c | ||
| sitename_cache.h | ||
| util.c | ||