Project

General

Profile

Actions

Bug #13045

closed

Idmap's KDC lookup override doesn't work

Added by Matt Barden 10 months ago. Updated 10 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
cifs - CIFS server and client
Start date:
Due date:
% Done:

100%

Estimated time:
Difficulty:
Medium
Tags:
Gerrit CR:

Description

Our kerberos library provides a mechanism for 'overriding' the normal lookup routine, by specifying a "_krb5_override_service_locator" function. Its purpose is to avoid the long KDC lookup times that may result from doing DNS lookup. There are two issues with the current implementations of the override function:

1. IDMAP has a mapfile, and the override is not specified as 'global'. Therefore, kerberos is unable to dlsym() the function, and so we fallback to profile/dns KDC lookup. This issue does not affect SMBD, as it does not have a mapfile (and so the function is marked 'global').
2. The overrides assume that all DC's are KDC's; that is not the case, and so the override may return information for a server that is not actually a KDC. DC's that are KDC's set a flag during discovery that we can use to detect this.

Steps to reproduce:
1. join the server to a domain.
2. Set a 'bad kdc' line in /etc/krb5/krb5.conf
3. svcadm refresh 'idmap'

Expected Results:
Idmap uses the DC's information as KDC

Actual Results:
The bad KDC information is used from the profile, and so domain discovery fails.

For the 'DC's aren't KDCs' issue, it has not been detected in practice. Reproduction would likely look like:
1. Join the server to a domain where one DC is not a KDC, and another one is a KDC.
2. set "preferred_dc" to the DC that is not a KDC.
3. set the "ad-container" sharesmb property on a dataset (zfs set sharesmb=name=<sharename>,ad-container=<any string> <dataset>).

Tested by following reproduction steps (the 'bad kdc' case, and just the ad-container bit of the not-a-kdc case), and using dtrace to verify the input/output of the override function. Additionally, destructive dtrace was used to force the realm to not match the configured domain.

Actions #1

Updated by Electric Monk 10 months ago

  • Gerrit CR set to 852
Actions #2

Updated by Matt Barden 10 months ago

  • Description updated (diff)
Actions #3

Updated by Electric Monk 10 months ago

  • Status changed from New to Closed
  • % Done changed from 0 to 100

git commit bdc3270f393f51a419684e0fd3d7112e9b269773

commit  bdc3270f393f51a419684e0fd3d7112e9b269773
Author: Matt Barden <matt.barden@nexenta.com>
Date:   2020-09-01T15:12:58.000Z

    13045 Idmap's KDC lookup override doesn't work
    Reviewed by: Dan McDonald <danmcd@joyent.com>
    Approved by: Robert Mustacchi <rm@fingolfin.org>

Actions

Also available in: Atom PDF