On 2017-04-27 14:00, Martin Bašti wrote:
> I would like to discuss consequences of adding kdc URI records:
> 1. basically all ipa clients enrolled using autodiscovery will use
> kdcproxy instead of KDC on port 88, because URI takes precedence over
> SRV in KRB5 client implementation. Are we ok with such a big change?

Does the client also prefer KKDCP if you give the Kerberos 88/UDP and
88/TCP URIs a higher priority than the KKDCP HTTPS URIs?

> 2. probably client installer must be updated because currently with
> CA-full installation it is not working.
> ipa-client-install (with autodiscovery) failed on kinit, see KRB5_TRACE
> bellow that it refuses self signed certificate

Actually it is not a self-sigend EE certificate. The validation message
is bogus because FreeIPA TLS configuration is slightly buggy. We send
the trust anchor (root CA) although a server should not include its
trust anchor in its ServerHello message. OpenSSL detects an untrusted
root CA in the ServerHello peer chain and emits the message.

If I read the 600 lines (!) function ipaclient.install.client._install
correctly, then ipa-client-install first attempts to negotiate a TGT and
then installs the trust anchor in the global trust store. It should be
enough to reverse the order and inject the trust anchor first.


Christian Heimes
Senior Software Engineer, Identity Management and Platform Security

Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Michael Cunningham, Michael
O'Neill, Eric Shander

Attachment: signature.asc
Description: OpenPGP digital signature

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to