On 2017-04-27 14:00, Martin Bašti wrote: > > > On 26.04.2017 20:41, Simo Sorce wrote: >> On Wed, 2017-04-26 at 12:57 +0200, Martin Bašti wrote: >>> On 25.04.2017 16:57, Martin Bašti wrote: >>>> Hello all, >>>> >>>> I'm going to implement automatic URI records for kdc proxy and I'd >>>> like to clarify if following URI records are the right one. >>>> >>>> >>>> _kerberos-adm.example.com. IN URI <prio> 0 >>>> "krb5srv:M:kkdcp:https://ipaserver.example.com/KdcProxy"; >>>> >>>> _krb5kdc.example.com. IN URI <prio> 0 >>>> "krb5srv:M:kkdcp:https://ipaserver.example.com/KdcProxy"; >>>> >>>> _kpasswd.example.com. IN URI <prio> 0 >>>> "krb5srv:M:kkdcp:https://ipaserver.example.com/KdcProxy"; >>>> >>>> >>>> I assume we want to use "kkdcp" and "https", and "M" flag as all IPA >>>> servers are masters, please confirm. >>>> >>>> >>>> Sources: >>>> >>>> https://k5wiki.kerberos.org/wiki/Projects/KDC_Discovery >>>> >>>> https://tools.ietf.org/id/draft-mccallum-kitten-krb-service-discovery-02.txt >>>> >>>> >>>> >>>> >>>> Thank you >>>> >>> I found out that wiki page differs from the RFC draft and from the >>> source in git >>> >>> There is "_kerberos.REALM" record instead of "_krb5kdc.REALM" >>> >>> >>> And I'm not sure if _kerberos-adm should be included as we don't really >>> support kadmin. >> We shouldn't. >> >> Simo. >> > > I would like to discuss consequences of adding kdc URI records: > > 1. basically all ipa clients enrolled using autodiscovery will use > kdcproxy instead of KDC on port 88, because URI takes precedence over > SRV in KRB5 client implementation. Are we ok with such a big change?
Update: It's correct that URI records have a higher priority than SRV records. A client with URI discovery support will never check SRV records when it is able to retrieve URI records. For newer clients we have to include TCP and UDP URI records, too. I did some testing. MIT KRB5 prefers UDP/TCP over MSKKDP for records with same priority. That fact is not stated in the RFC. I'm writing a mail to Nathaniel and Simo to discuss the matter. Christian -- Christian Heimes Senior Software Engineer, Identity Management and Platform Security Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric Shander
signature.asc
Description: OpenPGP digital signature
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
