[Freeipa-devel] KDC proxy URI records
Martin Bašti
mbasti at redhat.com
Thu Apr 27 12:00:35 UTC 2017
On 26.04.2017 20:41, Simo Sorce wrote:
> On Wed, 2017-04-26 at 12:57 +0200, Martin Bašti wrote:
>> On 25.04.2017 16:57, Martin Bašti wrote:
>>> Hello all,
>>>
>>> I'm going to implement automatic URI records for kdc proxy and I'd
>>> like to clarify if following URI records are the right one.
>>>
>>>
>>> _kerberos-adm.example.com. IN URI <prio> 0
>>> "krb5srv:M:kkdcp:https://ipaserver.example.com/KdcProxy"
>>>
>>> _krb5kdc.example.com. IN URI <prio> 0
>>> "krb5srv:M:kkdcp:https://ipaserver.example.com/KdcProxy"
>>>
>>> _kpasswd.example.com. IN URI <prio> 0
>>> "krb5srv:M:kkdcp:https://ipaserver.example.com/KdcProxy"
>>>
>>>
>>> I assume we want to use "kkdcp" and "https", and "M" flag as all IPA
>>> servers are masters, please confirm.
>>>
>>>
>>> Sources:
>>>
>>> https://k5wiki.kerberos.org/wiki/Projects/KDC_Discovery
>>>
>>> https://tools.ietf.org/id/draft-mccallum-kitten-krb-service-discovery-02.txt
>>>
>>>
>>>
>>> Thank you
>>>
>> I found out that wiki page differs from the RFC draft and from the
>> source in git
>>
>> There is "_kerberos.REALM" record instead of "_krb5kdc.REALM"
>>
>>
>> And I'm not sure if _kerberos-adm should be included as we don't really
>> support kadmin.
> We shouldn't.
>
> Simo.
>
I would like to discuss consequences of adding kdc URI records:
1. basically all ipa clients enrolled using autodiscovery will use
kdcproxy instead of KDC on port 88, because URI takes precedence over
SRV in KRB5 client implementation. Are we ok with such a big change?
2. probably client installer must be updated because currently with
CA-full installation it is not working.
ipa-client-install (with autodiscovery) failed on kinit, see KRB5_TRACE
bellow that it refuses self signed certificate
....
Realm: IPA.TEST
DNS Domain: ipa.test
IPA Server: master.ipa.test
BaseDN: dc=ipa,dc=test
Continue to configure the system with these values? [no]: y
Skipping synchronizing time with NTP server.
User authorized to enroll computers: admin
Password for admin at IPA.TEST:
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=IPA.TEST
Issuer: CN=Certificate Authority,O=IPA.TEST
Valid From: 2017-04-27 11:02:28
Valid Until: 2037-04-27 11:02:28
Enrolled in IPA realm IPA.TEST
Created /etc/ipa/default.conf
New SSSD config will be created
Configured sudoers in /etc/nsswitch.conf
Configured /etc/sssd/sssd.conf
Configured /etc/krb5.conf for IPA realm IPA.TEST
trying https://master.ipa.test/ipa/json
Forwarding 'schema' to json server 'https://master.ipa.test/ipa/json'
Major (851968): Unspecified GSS failure. Minor code may provide more
information, Minor (2529639068): Cannot contact any KDC for realm 'IPA.TEST'
The ipa-client-install command failed. See
/var/log/ipaclient-install.log for more information
[root at client1 ~]# KRB5_TRACE=/dev/stderr kinit admin
[25690] 1493293387.746616: Getting initial credentials for admin at IPA.TEST
[25690] 1493293387.750307: Sending request (164 bytes) to IPA.TEST
[25690] 1493293387.751468: Resolving hostname master.ipa.test
[25690] 1493293387.765261: TLS certificate error at 1 (O=IPA.TEST,
CN=Certificate Authority): 19 (self signed certificate in certificate chain)
[25690] 1493293387.765680: TLS error: error:14090086:SSL
routines:ssl3_get_server_certificate:certificate verify failed
[25690] 1493293387.765807: HTTPS error sending to https 192.168.138.101:443
[25690] 1493293387.766873: Terminating TCP connection to https
192.168.138.101:443
kinit: Cannot contact any KDC for realm 'IPA.TEST' while getting initial
credentials
IMHO we have to update krb5.conf or add IPA CA cert to trusted
certificates, I'm afraid that URI records may break already installed
clients (when updated to krb5-workstation), I have to test it.
--
Martin Bašti
Software Engineer
Red Hat Czech
More information about the Freeipa-devel
mailing list