On 26.04.2017 20:41, Simo Sorce wrote:
On Wed, 2017-04-26 at 12:57 +0200, Martin Bašti wrote:
On 25.04.2017 16:57, Martin Bašti wrote:
I'm going to implement automatic URI records for kdc proxy and I'd
like to clarify if following URI records are the right one.
_kerberos-adm.example.com. IN URI <prio> 0
_krb5kdc.example.com. IN URI <prio> 0
_kpasswd.example.com. IN URI <prio> 0
I assume we want to use "kkdcp" and "https", and "M" flag as all IPA
servers are masters, please confirm.
I found out that wiki page differs from the RFC draft and from the
source in git
There is "_kerberos.REALM" record instead of "_krb5kdc.REALM"
And I'm not sure if _kerberos-adm should be included as we don't really
I would like to discuss consequences of adding kdc URI records:
1. basically all ipa clients enrolled using autodiscovery will use
kdcproxy instead of KDC on port 88, because URI takes precedence over
SRV in KRB5 client implementation. Are we ok with such a big change?
2. probably client installer must be updated because currently with
CA-full installation it is not working.
ipa-client-install (with autodiscovery) failed on kinit, see KRB5_TRACE
bellow that it refuses self signed certificate
DNS Domain: ipa.test
IPA Server: master.ipa.test
Continue to configure the system with these values? [no]: y
Skipping synchronizing time with NTP server.
User authorized to enroll computers: admin
Password for ad...@ipa.test:
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=IPA.TEST
Issuer: CN=Certificate Authority,O=IPA.TEST
Valid From: 2017-04-27 11:02:28
Valid Until: 2037-04-27 11:02:28
Enrolled in IPA realm IPA.TEST
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/krb5.conf for IPA realm IPA.TEST
Forwarding 'schema' to json server 'https://master.ipa.test/ipa/json'
Major (851968): Unspecified GSS failure. Minor code may provide more
information, Minor (2529639068): Cannot contact any KDC for realm 'IPA.TEST'
The ipa-client-install command failed. See
/var/log/ipaclient-install.log for more information
[root@client1 ~]# KRB5_TRACE=/dev/stderr kinit admin
 1493293387.746616: Getting initial credentials for ad...@ipa.test
 1493293387.750307: Sending request (164 bytes) to IPA.TEST
 1493293387.751468: Resolving hostname master.ipa.test
 1493293387.765261: TLS certificate error at 1 (O=IPA.TEST,
CN=Certificate Authority): 19 (self signed certificate in certificate chain)
 1493293387.765680: TLS error: error:14090086:SSL
routines:ssl3_get_server_certificate:certificate verify failed
 1493293387.765807: HTTPS error sending to https 192.168.138.101:443
 1493293387.766873: Terminating TCP connection to https
kinit: Cannot contact any KDC for realm 'IPA.TEST' while getting initial
IMHO we have to update krb5.conf or add IPA CA cert to trusted
certificates, I'm afraid that URI records may break already installed
clients (when updated to krb5-workstation), I have to test it.
Red Hat Czech
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code