sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-13 13:18:06 +03:00
Code
c404793a38
samba-mirror/source3
History
Uri Simchoni c404793a38 libads: disable dns_lookup_realm in auto-generated krb5.conf files 
This patch sets dns_lookup_realm=false in samba-generated krb5.conf.

Disabling dns_lookup_realm in krb5.conf is the recommended practice for
Kerberos usage in Active Directory environment. dns_lookup_realm is enabled
by default, at least in Heimdal.

When used by samba, Kerberos libraries operate based on either the system
krb5.conf, or a private krb5.conf generated specifically for the domain by
samba code. In the former case, it's the responsibility of the administrator
to set dns_lookup_realm=false. In the latter case, it's the responsibility
of samba - which is what this patch does.

In many usage scenarios the value of this variable is of no consequence
since samba knows the realm in which it is operating, and knows how to
generate service principal names. However, there are some scenarios
in which samba calls kerberos_get_principal_from_service_hostname(),
and here samba consults the Kerberos libraries and this parameter comes
into play. One primary example is cli_full_connection() function.

Not setting dns_lookup_realm leads to a series of DNS TXT record lookups.
This can be observed by running "net ads join -k -U <user>".

In AD environments, the TXT queries  typically fail quickly, but test setups
or misconfigured DNS may lead to large timeouts (for example, if the domain
is dept.example.com but there's no parent example.com domain and no DNS
zones for example.com). At the very least we want to avoid those lookups
because they are hardly documented and lead to confusion.

Signed-off-by: Uri Simchoni <urisimchoni@gmail.com>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2015-07-17 01:38:15 +02:00
..
auth Convert all uint32/16/8 to _t in a grab-bag of remaining files. 2015-05-14 22:16:56 +02:00
build waf: improve iconv checks 2014-01-03 05:04:44 +01:00
client s3:client: Add "scopy" cmd to perform Server Side copy using smbclient. 2015-07-14 13:04:17 +02:00
exports
groupdb Convert all uses of uint32/16/8 to _t in source3/groupdb. 2015-05-14 19:29:19 +02:00
include winbindd: set file descriptor limit according to configuration 2015-07-15 22:41:13 +02:00
intl lang_tdb: don't leak lock_path or data_path onto talloc tos 2014-11-03 23:46:05 +01:00
lib ctdbd_conn: Move release_ip handling into process.c 2015-07-14 09:56:25 +02:00
libads libads: disable dns_lookup_realm in auto-generated krb5.conf files 2015-07-17 01:38:15 +02:00
libgpo gpo: don't leak cache_path onto talloc tos 2014-10-06 19:18:05 +02:00
libnet net: fix the order of DC lookup methods when joining a domain 2015-07-09 12:33:25 +02:00
librpc net: fix the order of DC lookup methods when joining a domain 2015-07-09 12:33:25 +02:00
libsmb CID 1311771: Fix a null pointer dereference 2015-07-15 01:47:21 +02:00
locale winbind/i18n: update Japanese pam winbind translation 2014-07-26 20:43:28 +02:00
locking Convert uint64 to uint64_t 2015-05-15 19:31:24 +02:00
modules vfs: Consolidate failure paths in vfswrap_init_asys_ctx 2015-07-17 01:35:33 +02:00
nmbd Fix the uint32/16/8 stuff in two proto.h files I missed. 2015-05-13 22:01:13 +02:00
pam_smbpass lib: Remove load_case_tables_library() 2015-03-24 00:00:20 +01:00
param param: Make "kernel change notify" global 2015-07-07 23:51:24 +02:00
passdb s3:pdb_samba_dsdb: make use of dsdb_trust_search_tdo() 2015-07-08 18:38:21 +02:00
printing s3-rpc_server: Fix inteface typo. 2015-06-04 03:51:29 +02:00
profile Convert all uint32/16/8 to _t in a grab-bag of remaining files. 2015-05-14 22:16:56 +02:00
registry lib: Remove unused functions 2015-06-23 22:12:09 +02:00
rpc_client s3:librpc/rpc: fix padding calculation in dcerpc_guess_sizes() 2015-06-23 14:38:53 +02:00
rpc_server rpc_server: Fix CID 1311342 Null pointer dereferences (REVERSE_INULL) 2015-07-10 01:01:36 +02:00
rpcclient s3-rpcclient: add cmd_clusapi_get_cluster_version2. 2015-07-14 21:21:21 +02:00
script s3: tests: Add blackbox test for scopy. 2015-07-14 16:10:44 +02:00
selftest selftest: Plan samba3.blackbox.preserve_case testcase 2015-07-01 23:05:55 +02:00
services Convert all uint32/16/8 to _t in a couple of include files. 2015-05-12 04:22:55 +02:00
smbd s3:smbd: change a loglevel from 0 to 1 when SMB_VFS_CONNECT fails 2015-07-16 20:24:47 +02:00
stf
torture Remove ctdb_conn.[ch] 2015-07-08 02:53:32 +02:00
utils smbcontrol: Set internal log level to 0 2015-07-10 06:33:07 +02:00
web swat: Remove swat. 2013-05-18 16:32:38 +02:00
winbindd winbindd: shorten client list scan 2015-07-16 01:45:19 +02:00
.clang_complete lib: Remove tdb_compat 2015-03-17 11:30:52 +01:00
.dmallocrc
.indent.pro
change-log
Doxyfile
mainpage.dox
smbadduser.in
wscript s3-mdssvc: add configure option --enable-spotlight 2015-07-07 17:34:28 +02:00
wscript_build s3:wscript_build: fix the build using dmapi and fam together 2015-07-08 11:54:24 +02:00
wscript_configure_system_ncurses Transition to waf 1.8: wrapped conf.check_cfg 2015-03-16 03:00:07 +01:00