On 24.5.2016 08:56, Alexander Bokovoy wrote:
> On Mon, 23 May 2016, Petr Spacek wrote:
>> On 20.5.2016 12:43, Alexander Bokovoy wrote:
>>> On Fri, 20 May 2016, Petr Spacek wrote:
>>>> Theory I have seen looks good to me but Security considerations section is
>>>> missing. The design must spell out what are security implications of
>>>>  ignore_acceptor_hostname = true
>>>>  GSSAPIStrictAcceptorCheck no
>>> I'll add security considerations, thanks for noticing that.
>>>> All of the implementation details are missing so this review cannot be
>>>> considered complete.
>>> There is nothing to implement here on our side. We discussed it with
>>> Martin K. and he suggested that we might add a link to documentation
>>> when it would be written but that's as much as we can do.
>>> Thing is, a proper implementation means changes to be done way above
>>> ipa-client-install level, even way above FreeIPA deployment itself,
>>> especially for SSO case where a CNAME would need to be created in a
>>> separate DNS zone that is not under control of FreeIPA. So all we can do
>>> is to suggest something rather than implement. We do that already and
>>> Mark is going to turn the design into a section in the Windows
>>> Integration Guide.
>> Let me clarify that. I did not mean that ipa-client-install should *create*
>> CNAME records. I was thinking more about tailored installation process which
>> can be automatically enabled when CNAME is detected during installation.
> If CNAME is detected, we can do some magic, right. But would it help?
> Two things matter here:
> - if `hostname` is a CNAME, we need to register real hostname
> - also create host object for CNAME record and make sure realm hostname
>   is used to manage it

Yes, I think that this could and should be done automatically to ease 

> Question is what to do if hostname was forced via command line option
> and it is different from the CNAME which is `hostname`. In current code
> we ignore `hostname` and force the hostname via /etc/hosts to whatever
> was specified on the command line.

I would keep this behavior - after all, user wanted an explicit hostname so
give it to him. It may break things but any usage of override options
(hostname, domain, server ...) can break something when used improperly.

>> I was thinking about detection of CNAME which could trigger addition of
>> ipa-client.example.com = IPA.EXAMPLE.COM
>> to krb5.conf.
>> Or, alternatively, why can't we add ipa-client.example.com = IPA.EXAMPLE.COM
>> to krb5.conf unconditionally? I do not see any harm in doing so.
> That sounds better. May be you can file a ticket for this one? It
> doesn't need to be tied to the discussed proposal although you can
> certainly mention it.
>>> However, it is impossible to
>>> do anything here automatically because the actual behavior would depend
>>> on external conditions which we cannot control.
>>> This is really something that has to be written in the planning guide.
>>> For example, if you have SSO case and want to put A/AAAA record and
>>> CNAME record, it is not a given fact that both of them have to be named
>>> in the same way. In fact, they most likely will be different as CNAME
>>> record is part of user-facing application namespace and A/AAAA records
>>> in IPA DNS zone are part of a backend naming. There is no
>>> standardization here.
>> Sure. I was thinking about special handling for case where ipa-client-install
>> is ran with parameters "--domain=ipa --hostname=cname". It could modify
>> krb5.conf and possibly print hint about ignore_acceptor_hostname or just a
>> link to docs "it seems that you should read <this>".
> Well, we don't have the documentation for it yet, only upstream wiki.
> May be we should add instead a section to ipa-client-install manual page
> and reference it?

Sounds good to me.

>>>> Speaking of certs, should we introduce a aliases for host entries to avoid
>>>> the
>>>> need of fake hosts?
>>> These 'fake hosts' are as good as aliases, even better, because they
>>> allow us to have full control over who can manage them.
>> I do not see how this is different from any other object which has managedBy
>> attribute. It is not a special property of host.
> We have managedBy handling in hosts and services specifically to allow
> certificate issuing on behalf of another entity.

I'm still not convinced that 'we historically do it this way' is good enough
justification for using fake host objects instead of tailored aliases.

Petr^2 Spacek

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to