[Freeipa-devel] KDC proxy URI records

Christian Heimes cheimes at redhat.com
Fri Apr 28 08:34:27 UTC 2017 

On 2017-04-27 14:00, Martin Bašti wrote:
> 
> 
> On 26.04.2017 20:41, Simo Sorce wrote:
>> On Wed, 2017-04-26 at 12:57 +0200, Martin Bašti wrote:
>>> On 25.04.2017 16:57, Martin Bašti wrote:
>>>> Hello all,
>>>>
>>>> I'm going to implement automatic URI records for kdc proxy and I'd
>>>> like to clarify if following URI records are the right one.
>>>>
>>>>
>>>> _kerberos-adm.example.com. IN URI <prio> 0
>>>> "krb5srv:M:kkdcp:https://ipaserver.example.com/KdcProxy"
>>>>
>>>> _krb5kdc.example.com. IN URI <prio> 0
>>>> "krb5srv:M:kkdcp:https://ipaserver.example.com/KdcProxy"
>>>>
>>>> _kpasswd.example.com. IN URI <prio> 0
>>>> "krb5srv:M:kkdcp:https://ipaserver.example.com/KdcProxy"
>>>>
>>>>
>>>> I assume we want to use "kkdcp" and "https", and "M" flag as all IPA
>>>> servers are masters, please confirm.
>>>>
>>>>
>>>> Sources:
>>>>
>>>> https://k5wiki.kerberos.org/wiki/Projects/KDC_Discovery
>>>>
>>>> https://tools.ietf.org/id/draft-mccallum-kitten-krb-service-discovery-02.txt
>>>>
>>>>
>>>>
>>>>
>>>> Thank you
>>>>
>>> I found out that wiki page differs from the RFC draft and from the
>>> source in git
>>>
>>> There is "_kerberos.REALM" record instead of "_krb5kdc.REALM"
>>>
>>>
>>> And I'm not sure if _kerberos-adm should be included as we don't really
>>> support kadmin.
>> We shouldn't.
>>
>> Simo.
>>
> 
> I would like to discuss consequences of adding kdc URI records:
> 
> 1. basically all ipa clients enrolled using autodiscovery will use
> kdcproxy instead of KDC on port 88, because URI takes precedence over
> SRV in KRB5 client implementation. Are we ok with such a big change?

Update: It's correct that URI records have a higher priority than SRV
records. A client with URI discovery support will never check SRV
records when it is able to retrieve URI records. For newer clients we
have to include TCP and UDP URI records, too.

I did some testing. MIT KRB5 prefers UDP/TCP over MSKKDP for records
with same priority. That fact is not stated in the RFC. I'm writing a
mail to Nathaniel and Simo to discuss the matter.

Christian

-- 
Christian Heimes
Senior Software Engineer, Identity Management and Platform Security

Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Michael Cunningham, Michael
O'Neill, Eric Shander

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20170428/6e43ab43/attachment.sig>

More information about the Freeipa-devel mailing list