[PATCH] Should we avoid DNS for short names?

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

[PATCH] Should we avoid DNS for short names?

Andrew Bartlett
This patch tells Heimdal to use only config files for 'short' realm
names, not DNS.  I expect Samba4 to be configured in many weird and
wonderful ways, and this patch should reduce administrator pain and root
DNS server load.

Comments?  

Andrew Bartlett
--
Andrew Bartlett                                http://samba.org/~abartlet/
Samba Developer, SuSE Labs, Novell Inc.        http://suse.de
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net

heimdal-no-short-dns.patch (704 bytes) Download Attachment
signature.asc (196 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [PATCH] Should we avoid DNS for short names?

Johan Danielsson
Andrew Bartlett <[hidden email]> writes:

> Comments?

It's a bit of a hack, and in the unlikely event that someone set up a
realm for, say, COM, it would require local configuration.

Other than that I don't see any problems. :-)

Wouldn't this be a problem only if you have a non-dns based realm AND
you also don't have any local configuration for it (or if the KDC is
down)?

/Johan
Reply | Threaded
Open this post in threaded view
|

Re: [PATCH] Should we avoid DNS for short names?

Andrew Bartlett
On Thu, 2005-09-22 at 10:38 +0200, Johan Danielsson wrote:

> Andrew Bartlett <[hidden email]> writes:
>
> > Comments?
>
> It's a bit of a hack, and in the unlikely event that someone set up a
> realm for, say, COM, it would require local configuration.
>
> Other than that I don't see any problems. :-)
>
> Wouldn't this be a problem only if you have a non-dns based realm AND
> you also don't have any local configuration for it (or if the KDC is
> down)?
It's more about misconfiguration, and our users (or indeed my code)
blurring the distinction between a netbios domain and a realm.

Attached is another patch to avoid doing a DNS lookup on _kerberos.host
where 'host' is unqualified.  This was going to the root DNS servers.

Andrew Bartlett

--
Andrew Bartlett                                http://samba.org/~abartlet/
Samba Developer, SuSE Labs, Novell Inc.        http://suse.de
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net

heimdal-no-short-dns.patch (996 bytes) Download Attachment
signature.asc (196 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [PATCH] Should we avoid DNS for short names?

Love Hörnquist Åstrand

>> Other than that I don't see any problems. :-)
>>
>> Wouldn't this be a problem only if you have a non-dns based realm AND
>> you also don't have any local configuration for it (or if the KDC is
>> down)?
>
> It's more about misconfiguration, and our users (or indeed my code)
> blurring the distinction between a netbios domain and a realm.
>
> Attached is another patch to avoid doing a DNS lookup on _kerberos.host
> where 'host' is unqualified.  This was going to the root DNS servers.
What codepaths are causing this to happen for you ?

Love


attachment0 (487 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [PATCH] Should we avoid DNS for short names?

Andrew Bartlett
On Fri, 2005-10-14 at 12:40 +0200, Love Hörnquist Åstrand wrote:

> >> Other than that I don't see any problems. :-)
> >>
> >> Wouldn't this be a problem only if you have a non-dns based realm AND
> >> you also don't have any local configuration for it (or if the KDC is
> >> down)?
> >
> > It's more about misconfiguration, and our users (or indeed my code)
> > blurring the distinction between a netbios domain and a realm.
> >
> > Attached is another patch to avoid doing a DNS lookup on _kerberos.host
> > where 'host' is unqualified.  This was going to the root DNS servers.
>
> What codepaths are causing this to happen for you ?
Samba4 where we have already turned off DNS canonicalisation (and in the
real world if it has failed), with smbclient //piglett/test -Uuser%pass

Andrew Bartlett

--
Andrew Bartlett                                http://samba.org/~abartlet/
Samba Developer, SuSE Labs, Novell Inc.        http://suse.de
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net

signature.asc (196 bytes) Download Attachment