On 26.04.2017 20:41, Simo Sorce wrote:
On Wed, 2017-04-26 at 12:57 +0200, Martin Bašti wrote:
On 25.04.2017 16:57, Martin Bašti wrote:
Hello all,

I'm going to implement automatic URI records for kdc proxy and I'd
like to clarify if following URI records are the right one.

_kerberos-adm.example.com. IN URI <prio> 0

_krb5kdc.example.com. IN URI <prio> 0

_kpasswd.example.com. IN URI <prio> 0

I assume we want to use "kkdcp" and "https", and "M" flag as all IPA
servers are masters, please confirm.




Thank you

I found out that wiki page differs from the RFC draft and from the
source in git

There is "_kerberos.REALM" record instead of "_krb5kdc.REALM"

And I'm not sure if _kerberos-adm should be included as we don't really
support kadmin.
We shouldn't.


I would like to discuss consequences of adding kdc URI records:

1. basically all ipa clients enrolled using autodiscovery will use kdcproxy instead of KDC on port 88, because URI takes precedence over SRV in KRB5 client implementation. Are we ok with such a big change?

2. probably client installer must be updated because currently with CA-full installation it is not working.

ipa-client-install (with autodiscovery) failed on kinit, see KRB5_TRACE bellow that it refuses self signed certificate

DNS Domain: ipa.test
IPA Server: master.ipa.test
BaseDN: dc=ipa,dc=test

Continue to configure the system with these values? [no]: y
Skipping synchronizing time with NTP server.
User authorized to enroll computers: admin
Password for ad...@ipa.test:
Successfully retrieved CA cert
    Subject:     CN=Certificate Authority,O=IPA.TEST
    Issuer:      CN=Certificate Authority,O=IPA.TEST
    Valid From:  2017-04-27 11:02:28
    Valid Until: 2037-04-27 11:02:28

Enrolled in IPA realm IPA.TEST
Created /etc/ipa/default.conf
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm IPA.TEST
trying https://master.ipa.test/ipa/json
Forwarding 'schema' to json server 'https://master.ipa.test/ipa/json'
Major (851968): Unspecified GSS failure. Minor code may provide more information, Minor (2529639068): Cannot contact any KDC for realm 'IPA.TEST' The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information

[root@client1 ~]# KRB5_TRACE=/dev/stderr kinit admin
[25690] 1493293387.746616: Getting initial credentials for ad...@ipa.test
[25690] 1493293387.750307: Sending request (164 bytes) to IPA.TEST
[25690] 1493293387.751468: Resolving hostname master.ipa.test
[25690] 1493293387.765261: TLS certificate error at 1 (O=IPA.TEST, CN=Certificate Authority): 19 (self signed certificate in certificate chain) [25690] 1493293387.765680: TLS error: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
[25690] 1493293387.765807: HTTPS error sending to https
[25690] 1493293387.766873: Terminating TCP connection to https kinit: Cannot contact any KDC for realm 'IPA.TEST' while getting initial credentials

IMHO we have to update krb5.conf or add IPA CA cert to trusted certificates, I'm afraid that URI records may break already installed clients (when updated to krb5-workstation), I have to test it.

Martin Bašti
Software Engineer
Red Hat Czech

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to