Bug #13045


Idmap's KDC lookup override doesn't work

Added by Matt Barden almost 2 years ago. Updated over 1 year ago.

cifs - CIFS server and client
Start date:
Due date:
% Done:


Estimated time:
Gerrit CR:


Our kerberos library provides a mechanism for 'overriding' the normal lookup routine, by specifying a "_krb5_override_service_locator" function. Its purpose is to avoid the long KDC lookup times that may result from doing DNS lookup. There are two issues with the current implementations of the override function:

1. IDMAP has a mapfile, and the override is not specified as 'global'. Therefore, kerberos is unable to dlsym() the function, and so we fallback to profile/dns KDC lookup. This issue does not affect SMBD, as it does not have a mapfile (and so the function is marked 'global').
2. The overrides assume that all DC's are KDC's; that is not the case, and so the override may return information for a server that is not actually a KDC. DC's that are KDC's set a flag during discovery that we can use to detect this.

Steps to reproduce:
1. join the server to a domain.
2. Set a 'bad kdc' line in /etc/krb5/krb5.conf
3. svcadm refresh 'idmap'

Expected Results:
Idmap uses the DC's information as KDC

Actual Results:
The bad KDC information is used from the profile, and so domain discovery fails.

For the 'DC's aren't KDCs' issue, it has not been detected in practice. Reproduction would likely look like:
1. Join the server to a domain where one DC is not a KDC, and another one is a KDC.
2. set "preferred_dc" to the DC that is not a KDC.
3. set the "ad-container" sharesmb property on a dataset (zfs set sharesmb=name=<sharename>,ad-container=<any string> <dataset>).

Tested by following reproduction steps (the 'bad kdc' case, and just the ad-container bit of the not-a-kdc case), and using dtrace to verify the input/output of the override function. Additionally, destructive dtrace was used to force the realm to not match the configured domain.

Actions #1

Updated by Electric Monk almost 2 years ago

  • Gerrit CR set to 852
Actions #2

Updated by Matt Barden over 1 year ago

  • Description updated (diff)
Actions #3

Updated by Electric Monk over 1 year ago

  • Status changed from New to Closed
  • % Done changed from 0 to 100

git commit bdc3270f393f51a419684e0fd3d7112e9b269773

commit  bdc3270f393f51a419684e0fd3d7112e9b269773
Author: Matt Barden <>
Date:   2020-09-01T15:12:58.000Z

    13045 Idmap's KDC lookup override doesn't work
    Reviewed by: Dan McDonald <>
    Approved by: Robert Mustacchi <>


Also available in: Atom PDF