[Freeipa-devel] KDC proxy URI records
Christian Heimes
cheimes at redhat.com
Thu Apr 27 12:19:03 UTC 2017
On 2017-04-27 14:00, Martin Bašti wrote:
> I would like to discuss consequences of adding kdc URI records:
>
> 1. basically all ipa clients enrolled using autodiscovery will use
> kdcproxy instead of KDC on port 88, because URI takes precedence over
> SRV in KRB5 client implementation. Are we ok with such a big change?
Does the client also prefer KKDCP if you give the Kerberos 88/UDP and
88/TCP URIs a higher priority than the KKDCP HTTPS URIs?
> 2. probably client installer must be updated because currently with
> CA-full installation it is not working.
>
> ipa-client-install (with autodiscovery) failed on kinit, see KRB5_TRACE
> bellow that it refuses self signed certificate
Actually it is not a self-sigend EE certificate. The validation message
is bogus because FreeIPA TLS configuration is slightly buggy. We send
the trust anchor (root CA) although a server should not include its
trust anchor in its ServerHello message. OpenSSL detects an untrusted
root CA in the ServerHello peer chain and emits the message.
If I read the 600 lines (!) function ipaclient.install.client._install
correctly, then ipa-client-install first attempts to negotiate a TGT and
then installs the trust anchor in the global trust store. It should be
enough to reverse the order and inject the trust anchor first.
Christian
--
Christian Heimes
Senior Software Engineer, Identity Management and Platform Security
Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Michael Cunningham, Michael
O'Neill, Eric Shander
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20170427/6a41d50f/attachment.sig>
More information about the Freeipa-devel
mailing list