[Freeipa-devel] KDC proxy URI records
Christian Heimes
cheimes at redhat.com
Thu Apr 27 15:12:25 UTC 2017
On 2017-04-27 16:16, Martin Bašti wrote:
>
>
> On 27.04.2017 14:19, Christian Heimes wrote:
>> On 2017-04-27 14:00, Martin Bašti wrote:
>>> I would like to discuss consequences of adding kdc URI records:
>>>
>>> 1. basically all ipa clients enrolled using autodiscovery will use
>>> kdcproxy instead of KDC on port 88, because URI takes precedence over
>>> SRV in KRB5 client implementation. Are we ok with such a big change?
>> Does the client also prefer KKDCP if you give the Kerberos 88/UDP and
>> 88/TCP URIs a higher priority than the KKDCP HTTPS URIs?
>
> It should use 88/TCP, 88/UDP then, it can be a way how to avoid issues
> with clients.
Small correction: Kerberos should prefer UDP over TCP.
Christian
--
Christian Heimes
Senior Software Engineer, Identity Management and Platform Security
Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Michael Cunningham, Michael
O'Neill, Eric Shander
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20170427/b31e39a0/attachment.sig>
More information about the Freeipa-devel
mailing list