[Freeipa-devel] [PATCH] Set master_kdc and dns_lookup_kdc to true

Mon Sep 17 10:23:03 UTC 2012

On Sat, Sep 15, 2012 at 06:14:56PM -0400, Simo Sorce wrote:
> On Sat, 2012-09-15 at 22:02 +0200, Sumit Bose wrote:
> > On Fri, Sep 14, 2012 at 05:57:23PM -0400, Rob Crittenden wrote:
> > > Sumit Bose wrote:
> > > >Hi,
> > > >
> > > >those two patches should fix
> > > >https://fedorahosted.org/freeipa/ticket/2515 . The first makes the
> > > >needed change for fresh installations. The second adds the changes
> > > >during ipa-adtrust-install if needed. I prefer to do the changes here
> > > >instead of during updates, because during updates it is not easy to see
> > > >that the Kerberos configuration was changes.
> > > >
> > > 
> > > I guess it is good form to update the RHEL 4 client installer but
> > > will anyone test it?
> > 
> > I think it would be confusion if the RHEL4 client installer has
> > different information than the default one.
> > 
> > > 
> > > Is master_kdc supported in the MIT kfw version (krb5.ini)?
> > 
> > For me it looks that the parse is build from the same sources.
> > 
> > > 
> > > This suffers from the problem Simo envisioned with ticket 931. If
> > > the /etc/hosts entry is removed then DNS will not start. We add an
> > > entry during installation, so this may be less of an issue.
> > 
> > If the /etc/hosts entry is removed DNS  will not start in either case.
> > 
> > I think the solution to #931 is setting the master_kdc option. You can
> > easily reproduce startup problems if you set 'dns_lookup_kdc = true',
> > stop sssd and try to restart named. This will run into a timeout and
> > bind will not start. The reason is that besides a KDC the Kerberos
> > client libraries also try to look up the master KDC (but it seems to be
> > ok if the lookup finally fails). If sssd is running the locator plugin
> > will return the current KDC as master. If it is not running, as in the
> > test described above, /etc/krb5.conf is used next. If it does not have a
> > master_kdc entry and 'dns_lookup_kdc = false' there is no other source
> > for the master KDC and the client libraries continue with normal
> > processing. If master_kdc is not set but 'dns_lookup_kdc = true' then a
> > DNS lookup is tried, which will run into a timeout since the DNS server
> > is not started yet. But if master_kdc is set in krb5.conf the client
> > libraries will just use this value and will not try any DNS lookup,
> > independently of the setting of dns_lookup_kdc.
> > 
> > As a side note. Since we run named as user named I wonder if it would be
> > possible to use SASL EXTERNAL auth instead of GSSAPI to bind to the LDAP
> > server. If this would work safe and secure there would be no
> > dependencies to the KDC during the startup of bind?
> 
> The reason why we use gssapi is so that all operations performed by bind
> happen as the DNS/fqdn user, and we can use ACIs targeted at the bind
> process. In order to use SASL EXTERNAL we would need the bind process to
> change euid to an unprivileged user that we then need to map to some
> specific user.

As said above named is already run as the unprivileged user named.

> 
> In general krb5kdc should always start before named, and should not
> depend on DNS resolution. If krb5kdc is started first bind should have
> no issues. The only proble is if gssapi libraries try to use DNS
> resolution, but we should have that solved by using the krb locator
> plugin.

yes, and even if the locator plugin isn't available setting master_kdc
will make sure we never fall back to DNS for the local realm.

Just to make sure, I do not want to say that the authentication type
used by named must be changes to solve potential issues. Setting
master_kdc will solve them.

bye,
Sumit
> 
> Simo.
> 
> -- 
> Simo Sorce * Red Hat, Inc * New York
> 