Idmap's KDC lookup override doesn't work
Our kerberos library provides a mechanism for 'overriding' the normal lookup routine, by specifying a "_krb5_override_service_locator" function. Its purpose is to avoid the long KDC lookup times that may result from doing DNS lookup. There are two issues with the current implementations of the override function:
1. IDMAP has a mapfile, and the override is not specified as 'global'. Therefore, kerberos is unable to dlsym() the function, and so we fallback to profile/dns KDC lookup. This issue does not affect SMBD, as it does not have a mapfile (and so the function is marked 'global').
2. The overrides assume that all DC's are KDC's; that is not the case, and so the override may return information for a server that is not actually a KDC. DC's that are KDC's set a flag during discovery that we can use to detect this.
Steps to reproduce:
1. join the server to a domain.
2. Set a 'bad kdc' line in /etc/krb5/krb5.conf
3. svcadm refresh 'idmap'
Idmap uses the DC's information as KDC
The bad KDC information is used from the profile, and so domain discovery fails.
For the 'DC's aren't KDCs' issue, it has not been detected in practice. Reproduction would likely look like:
1. Join the server to a domain where one DC is not a KDC, and another one is a KDC.
2. set "preferred_dc" to the DC that is not a KDC.
3. set the "ad-container" sharesmb property on a dataset (zfs set sharesmb=name=<sharename>,ad-container=<any string> <dataset>).
Tested by following reproduction steps (the 'bad kdc' case, and just the ad-container bit of the not-a-kdc case), and using dtrace to verify the input/output of the override function. Additionally, destructive dtrace was used to force the realm to not match the configured domain.
Updated by Electric Monk over 1 year ago
- Status changed from New to Closed
- % Done changed from 0 to 100
commit bdc3270f393f51a419684e0fd3d7112e9b269773 Author: Matt Barden <firstname.lastname@example.org> Date: 2020-09-01T15:12:58.000Z 13045 Idmap's KDC lookup override doesn't work Reviewed by: Dan McDonald <email@example.com> Approved by: Robert Mustacchi <firstname.lastname@example.org>