[Freeipa-devel] KDC proxy URI records
Martin Bašti
mbasti at redhat.com
Thu Apr 27 14:16:07 UTC 2017
On 27.04.2017 14:19, Christian Heimes wrote:
> On 2017-04-27 14:00, Martin Bašti wrote:
>> I would like to discuss consequences of adding kdc URI records:
>>
>> 1. basically all ipa clients enrolled using autodiscovery will use
>> kdcproxy instead of KDC on port 88, because URI takes precedence over
>> SRV in KRB5 client implementation. Are we ok with such a big change?
> Does the client also prefer KKDCP if you give the Kerberos 88/UDP and
> 88/TCP URIs a higher priority than the KKDCP HTTPS URIs?
It should use 88/TCP, 88/UDP then, it can be a way how to avoid issues
with clients.
>
>> 2. probably client installer must be updated because currently with
>> CA-full installation it is not working.
>>
>> ipa-client-install (with autodiscovery) failed on kinit, see KRB5_TRACE
>> bellow that it refuses self signed certificate
> Actually it is not a self-sigend EE certificate. The validation message
> is bogus because FreeIPA TLS configuration is slightly buggy. We send
> the trust anchor (root CA) although a server should not include its
> trust anchor in its ServerHello message. OpenSSL detects an untrusted
> root CA in the ServerHello peer chain and emits the message.
>
> If I read the 600 lines (!) function ipaclient.install.client._install
> correctly, then ipa-client-install first attempts to negotiate a TGT and
> then installs the trust anchor in the global trust store. It should be
> enough to reverse the order and inject the trust anchor first.
Most likely, I haven't checked deeper
>
> Christian
>
>
--
Martin Bašti
Software Engineer
Red Hat Czech
More information about the Freeipa-devel
mailing list