[Linux-aus] SRV _kerberos._http.COMPANY.LOCAL.
Fraser Tweedale
frase at frase.id.au
Thu Jun 9 15:45:35 AEST 2022
On Thu, Jun 09, 2022 at 02:13:53PM +1000, Russell Coker via linux-aus wrote:
> I have a setup of sssd (the Linux Active Directory client) talking to a
> locally hosted AD instance which also has an Azure AD domain (which isn't
> supported by sssd) mirroring some of the data. I'm getting repeated DNS
> lookups for the above SRV entry, any idea of what this is about and what the
> right value should be?
>
> The real problem is poor performance with slow logins (like it's timing out
> trying to connect to the wrong server) and it appears that doing hundreds of
> DNS requests for things that don't exist is likely to be part of that problem.
>
> What does Kerberos expect with the _http service? Does it expect the server
> running on port 88?
>
I think it's looking for an MS-KKDCP[1] (a.k.a. "Kerberos HTTP
proxy") service. The expected port is whatever the KDC proxy is
running on. Typically 443, as the transport is HTTPS. If you're
not running a KDC proxy leave this record undefined.
[1] https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-kkdcp
That said I can't see in the MIT Kerberos KDC discovery code how it
could end up querying SRV _kerberos._http.REALM - rather it should
be using URI records for KDC proxy discovery. But I might have
missed something.
Cheers,
Fraser
> I'd appreciate any responses that give a clue here. Could be from the AD side
> how I can probe the AD setup or just guess what it's doing (assuming that most
> of it will be default options). Could be from the Linux/SSSD side of what the
> client is expecting and how to make it happy.
>
> Also I'm going to try to get the Ubuntu adsys package to work, currently
> installing it breaks AD on that workstation. But that's a later thing.
>
> --
> My Main Blog http://etbe.coker.com.au/
> My Documents Blog http://doc.coker.com.au/
>
>
>
> _______________________________________________
> linux-aus mailing list
> linux-aus at lists.linux.org.au
> http://lists.linux.org.au/mailman/listinfo/linux-aus
>
> To unsubscribe from this list, send a blank email to
> linux-aus-unsubscribe at lists.linux.org.au
More information about the linux-aus
mailing list