[Freeipa-devel] KDC proxy URI records
Simo Sorce
simo at redhat.com
Thu Apr 27 14:16:23 UTC 2017
On Thu, 2017-04-27 at 15:56 +0200, Petr Vobornik wrote:
> On 04/27/2017 02:19 PM, Christian Heimes wrote:
> > On 2017-04-27 14:00, Martin Bašti wrote:
> > > I would like to discuss consequences of adding kdc URI records:
> > >
> > > 1. basically all ipa clients enrolled using autodiscovery will
> > > use
> > > kdcproxy instead of KDC on port 88, because URI takes precedence
> > > over
> > > SRV in KRB5 client implementation. Are we ok with such a big
> > > change?
> >
> > Does the client also prefer KKDCP if you give the Kerberos 88/UDP
> > and
> > 88/TCP URIs a higher priority than the KKDCP HTTPS URIs?
> >
> > > 2. probably client installer must be updated because currently
> > > with
> > > CA-full installation it is not working.
> > >
> > > ipa-client-install (with autodiscovery) failed on kinit, see
> > > KRB5_TRACE
> > > bellow that it refuses self signed certificate
> >
> > Actually it is not a self-sigend EE certificate. The validation
> > message
> > is bogus because FreeIPA TLS configuration is slightly buggy. We
> > send
> > the trust anchor (root CA) although a server should not include its
> > trust anchor in its ServerHello message. OpenSSL detects an
> > untrusted
> > root CA in the ServerHello peer chain and emits the message.
> >
> > If I read the 600 lines (!) function
> > ipaclient.install.client._install
> > correctly, then ipa-client-install first attempts to negotiate a
> > TGT and
> > then installs the trust anchor in the global trust store. It should
> > be
> > enough to reverse the order and inject the trust anchor first.
> >
> > Christian
> >
>
> By reading this, even if we do the change in client install, I'd
> rather
> not generate the DNS records in 4.5.1 release and rather make sure
> that
> everything works during 4.6 development.
>
> The reason is that there might also be something else not working and
> it
> is better to time test it + the fix would not fix older clients.
>
> If anybody wants to use/try it, then the records can be created
> manually.
We need to ix clients regardless, o someone enabling it will find the
same issues.
Simo.
More information about the Freeipa-devel
mailing list