[Linux-aus] SRV _kerberos._http.COMPANY.LOCAL.

Fraser Tweedale frase at frase.id.au
Thu Jun 9 15:45:35 AEST 2022

On Thu, Jun 09, 2022 at 02:13:53PM +1000, Russell Coker via linux-aus wrote:
> I have a setup of sssd (the Linux Active Directory client) talking to a 
> locally hosted AD instance which also has an Azure AD domain (which isn't 
> supported by sssd) mirroring some of the data.  I'm getting repeated DNS 
> lookups for the above SRV entry, any idea of what this is about and what the 
> right value should be?
> The real problem is poor performance with slow logins (like it's timing out 
> trying to connect to the wrong server) and it appears that doing hundreds of 
> DNS requests for things that don't exist is likely to be part of that problem.
> What does Kerberos expect with the _http service?  Does it expect the server 
> running on port 88?

I think it's looking for an MS-KKDCP[1] (a.k.a. "Kerberos HTTP
proxy") service.  The expected port is whatever the KDC proxy is
running on.  Typically 443, as the transport is HTTPS.  If you're
not running a KDC proxy leave this record undefined.

[1] https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-kkdcp

That said I can't see in the MIT Kerberos KDC discovery code how it
could end up querying SRV _kerberos._http.REALM - rather it should
be using URI records for KDC proxy discovery.  But I might have
missed something.


> I'd appreciate any responses that give a clue here.  Could be from the AD side 
> how I can probe the AD setup or just guess what it's doing (assuming that most 
> of it will be default options).  Could be from the Linux/SSSD side of what the 
> client is expecting and how to make it happy.
> Also I'm going to try to get the Ubuntu adsys package to work, currently 
> installing it breaks AD on that workstation.  But that's a later thing.
> -- 
> My Main Blog         http://etbe.coker.com.au/
> My Documents Blog    http://doc.coker.com.au/
> _______________________________________________
> linux-aus mailing list
> linux-aus at lists.linux.org.au
> http://lists.linux.org.au/mailman/listinfo/linux-aus
> To unsubscribe from this list, send a blank email to
> linux-aus-unsubscribe at lists.linux.org.au

More information about the linux-aus mailing list