Re: [Freeipa-devel] [PATCH] Set master_kdc and dns_lookup_kdc to true
Sumit Bose wrote: On Sat, Sep 15, 2012 at 06:14:56PM -0400, Simo Sorce wrote: On Sat, 2012-09-15 at 22:02 +0200, Sumit Bose wrote: On Fri, Sep 14, 2012 at 05:57:23PM -0400, Rob Crittenden wrote: Sumit Bose wrote: Hi, those two patches should fix https://fedorahosted.org/freeipa/ticket/2515 . The first makes the needed change for fresh installations. The second adds the changes during ipa-adtrust-install if needed. I prefer to do the changes here instead of during updates, because during updates it is not easy to see that the Kerberos configuration was changes. I guess it is good form to update the RHEL 4 client installer but will anyone test it? I think it would be confusion if the RHEL4 client installer has different information than the default one. Is master_kdc supported in the MIT kfw version (krb5.ini)? For me it looks that the parse is build from the same sources. This suffers from the problem Simo envisioned with ticket 931. If the /etc/hosts entry is removed then DNS will not start. We add an entry during installation, so this may be less of an issue. If the /etc/hosts entry is removed DNS will not start in either case. I think the solution to #931 is setting the master_kdc option. You can easily reproduce startup problems if you set 'dns_lookup_kdc = true', stop sssd and try to restart named. This will run into a timeout and bind will not start. The reason is that besides a KDC the Kerberos client libraries also try to look up the master KDC (but it seems to be ok if the lookup finally fails). If sssd is running the locator plugin will return the current KDC as master. If it is not running, as in the test described above, /etc/krb5.conf is used next. If it does not have a master_kdc entry and 'dns_lookup_kdc = false' there is no other source for the master KDC and the client libraries continue with normal processing. If master_kdc is not set but 'dns_lookup_kdc = true' then a DNS lookup is tried, which will run into a timeout since the DNS server is not started yet. But if master_kdc is set in krb5.conf the client libraries will just use this value and will not try any DNS lookup, independently of the setting of dns_lookup_kdc. As a side note. Since we run named as user named I wonder if it would be possible to use SASL EXTERNAL auth instead of GSSAPI to bind to the LDAP server. If this would work safe and secure there would be no dependencies to the KDC during the startup of bind? The reason why we use gssapi is so that all operations performed by bind happen as the DNS/fqdn user, and we can use ACIs targeted at the bind process. In order to use SASL EXTERNAL we would need the bind process to change euid to an unprivileged user that we then need to map to some specific user. As said above named is already run as the unprivileged user named. In general krb5kdc should always start before named, and should not depend on DNS resolution. If krb5kdc is started first bind should have no issues. The only proble is if gssapi libraries try to use DNS resolution, but we should have that solved by using the krb locator plugin. yes, and even if the locator plugin isn't available setting master_kdc will make sure we never fall back to DNS for the local realm. Just to make sure, I do not want to say that the authentication type used by named must be changes to solve potential issues. Setting master_kdc will solve them. Ok, I'm satisfied. ACK, pushed both to master and ipa-3-0. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Set master_kdc and dns_lookup_kdc to true
On Sat, Sep 15, 2012 at 06:14:56PM -0400, Simo Sorce wrote: > On Sat, 2012-09-15 at 22:02 +0200, Sumit Bose wrote: > > On Fri, Sep 14, 2012 at 05:57:23PM -0400, Rob Crittenden wrote: > > > Sumit Bose wrote: > > > >Hi, > > > > > > > >those two patches should fix > > > >https://fedorahosted.org/freeipa/ticket/2515 . The first makes the > > > >needed change for fresh installations. The second adds the changes > > > >during ipa-adtrust-install if needed. I prefer to do the changes here > > > >instead of during updates, because during updates it is not easy to see > > > >that the Kerberos configuration was changes. > > > > > > > > > > I guess it is good form to update the RHEL 4 client installer but > > > will anyone test it? > > > > I think it would be confusion if the RHEL4 client installer has > > different information than the default one. > > > > > > > > Is master_kdc supported in the MIT kfw version (krb5.ini)? > > > > For me it looks that the parse is build from the same sources. > > > > > > > > This suffers from the problem Simo envisioned with ticket 931. If > > > the /etc/hosts entry is removed then DNS will not start. We add an > > > entry during installation, so this may be less of an issue. > > > > If the /etc/hosts entry is removed DNS will not start in either case. > > > > I think the solution to #931 is setting the master_kdc option. You can > > easily reproduce startup problems if you set 'dns_lookup_kdc = true', > > stop sssd and try to restart named. This will run into a timeout and > > bind will not start. The reason is that besides a KDC the Kerberos > > client libraries also try to look up the master KDC (but it seems to be > > ok if the lookup finally fails). If sssd is running the locator plugin > > will return the current KDC as master. If it is not running, as in the > > test described above, /etc/krb5.conf is used next. If it does not have a > > master_kdc entry and 'dns_lookup_kdc = false' there is no other source > > for the master KDC and the client libraries continue with normal > > processing. If master_kdc is not set but 'dns_lookup_kdc = true' then a > > DNS lookup is tried, which will run into a timeout since the DNS server > > is not started yet. But if master_kdc is set in krb5.conf the client > > libraries will just use this value and will not try any DNS lookup, > > independently of the setting of dns_lookup_kdc. > > > > As a side note. Since we run named as user named I wonder if it would be > > possible to use SASL EXTERNAL auth instead of GSSAPI to bind to the LDAP > > server. If this would work safe and secure there would be no > > dependencies to the KDC during the startup of bind? > > The reason why we use gssapi is so that all operations performed by bind > happen as the DNS/fqdn user, and we can use ACIs targeted at the bind > process. In order to use SASL EXTERNAL we would need the bind process to > change euid to an unprivileged user that we then need to map to some > specific user. As said above named is already run as the unprivileged user named. > > In general krb5kdc should always start before named, and should not > depend on DNS resolution. If krb5kdc is started first bind should have > no issues. The only proble is if gssapi libraries try to use DNS > resolution, but we should have that solved by using the krb locator > plugin. yes, and even if the locator plugin isn't available setting master_kdc will make sure we never fall back to DNS for the local realm. Just to make sure, I do not want to say that the authentication type used by named must be changes to solve potential issues. Setting master_kdc will solve them. bye, Sumit > > Simo. > > -- > Simo Sorce * Red Hat, Inc * New York > ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Set master_kdc and dns_lookup_kdc to true
On Sat, 2012-09-15 at 22:02 +0200, Sumit Bose wrote: > On Fri, Sep 14, 2012 at 05:57:23PM -0400, Rob Crittenden wrote: > > Sumit Bose wrote: > > >Hi, > > > > > >those two patches should fix > > >https://fedorahosted.org/freeipa/ticket/2515 . The first makes the > > >needed change for fresh installations. The second adds the changes > > >during ipa-adtrust-install if needed. I prefer to do the changes here > > >instead of during updates, because during updates it is not easy to see > > >that the Kerberos configuration was changes. > > > > > > > I guess it is good form to update the RHEL 4 client installer but > > will anyone test it? > > I think it would be confusion if the RHEL4 client installer has > different information than the default one. > > > > > Is master_kdc supported in the MIT kfw version (krb5.ini)? > > For me it looks that the parse is build from the same sources. > > > > > This suffers from the problem Simo envisioned with ticket 931. If > > the /etc/hosts entry is removed then DNS will not start. We add an > > entry during installation, so this may be less of an issue. > > If the /etc/hosts entry is removed DNS will not start in either case. > > I think the solution to #931 is setting the master_kdc option. You can > easily reproduce startup problems if you set 'dns_lookup_kdc = true', > stop sssd and try to restart named. This will run into a timeout and > bind will not start. The reason is that besides a KDC the Kerberos > client libraries also try to look up the master KDC (but it seems to be > ok if the lookup finally fails). If sssd is running the locator plugin > will return the current KDC as master. If it is not running, as in the > test described above, /etc/krb5.conf is used next. If it does not have a > master_kdc entry and 'dns_lookup_kdc = false' there is no other source > for the master KDC and the client libraries continue with normal > processing. If master_kdc is not set but 'dns_lookup_kdc = true' then a > DNS lookup is tried, which will run into a timeout since the DNS server > is not started yet. But if master_kdc is set in krb5.conf the client > libraries will just use this value and will not try any DNS lookup, > independently of the setting of dns_lookup_kdc. > > As a side note. Since we run named as user named I wonder if it would be > possible to use SASL EXTERNAL auth instead of GSSAPI to bind to the LDAP > server. If this would work safe and secure there would be no > dependencies to the KDC during the startup of bind? The reason why we use gssapi is so that all operations performed by bind happen as the DNS/fqdn user, and we can use ACIs targeted at the bind process. In order to use SASL EXTERNAL we would need the bind process to change euid to an unprivileged user that we then need to map to some specific user. In general krb5kdc should always start before named, and should not depend on DNS resolution. If krb5kdc is started first bind should have no issues. The only proble is if gssapi libraries try to use DNS resolution, but we should have that solved by using the krb locator plugin. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Set master_kdc and dns_lookup_kdc to true
On Fri, Sep 14, 2012 at 05:57:23PM -0400, Rob Crittenden wrote: > Sumit Bose wrote: > >Hi, > > > >those two patches should fix > >https://fedorahosted.org/freeipa/ticket/2515 . The first makes the > >needed change for fresh installations. The second adds the changes > >during ipa-adtrust-install if needed. I prefer to do the changes here > >instead of during updates, because during updates it is not easy to see > >that the Kerberos configuration was changes. > > > > I guess it is good form to update the RHEL 4 client installer but > will anyone test it? I think it would be confusion if the RHEL4 client installer has different information than the default one. > > Is master_kdc supported in the MIT kfw version (krb5.ini)? For me it looks that the parse is build from the same sources. > > This suffers from the problem Simo envisioned with ticket 931. If > the /etc/hosts entry is removed then DNS will not start. We add an > entry during installation, so this may be less of an issue. If the /etc/hosts entry is removed DNS will not start in either case. I think the solution to #931 is setting the master_kdc option. You can easily reproduce startup problems if you set 'dns_lookup_kdc = true', stop sssd and try to restart named. This will run into a timeout and bind will not start. The reason is that besides a KDC the Kerberos client libraries also try to look up the master KDC (but it seems to be ok if the lookup finally fails). If sssd is running the locator plugin will return the current KDC as master. If it is not running, as in the test described above, /etc/krb5.conf is used next. If it does not have a master_kdc entry and 'dns_lookup_kdc = false' there is no other source for the master KDC and the client libraries continue with normal processing. If master_kdc is not set but 'dns_lookup_kdc = true' then a DNS lookup is tried, which will run into a timeout since the DNS server is not started yet. But if master_kdc is set in krb5.conf the client libraries will just use this value and will not try any DNS lookup, independently of the setting of dns_lookup_kdc. As a side note. Since we run named as user named I wonder if it would be possible to use SASL EXTERNAL auth instead of GSSAPI to bind to the LDAP server. If this would work safe and secure there would be no dependencies to the KDC during the startup of bind? bye, Sumit > > rob > ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Set master_kdc and dns_lookup_kdc to true
On Fri, Sep 14, 2012 at 05:57:23PM -0400, Rob Crittenden wrote: > Sumit Bose wrote: > >Hi, > > > >those two patches should fix > >https://fedorahosted.org/freeipa/ticket/2515 . The first makes the > >needed change for fresh installations. The second adds the changes > >during ipa-adtrust-install if needed. I prefer to do the changes here > >instead of during updates, because during updates it is not easy to see > >that the Kerberos configuration was changes. > > > > I guess it is good form to update the RHEL 4 client installer but > will anyone test it? Can we just remove it? I think that RHEL4 has been EOLd already: https://rhn.redhat.com/errata/RHSA-2012-0073.html ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Set master_kdc and dns_lookup_kdc to true
Sumit Bose wrote: Hi, those two patches should fix https://fedorahosted.org/freeipa/ticket/2515 . The first makes the needed change for fresh installations. The second adds the changes during ipa-adtrust-install if needed. I prefer to do the changes here instead of during updates, because during updates it is not easy to see that the Kerberos configuration was changes. I guess it is good form to update the RHEL 4 client installer but will anyone test it? Is master_kdc supported in the MIT kfw version (krb5.ini)? This suffers from the problem Simo envisioned with ticket 931. If the /etc/hosts entry is removed then DNS will not start. We add an entry during installation, so this may be less of an issue. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel