[Freeipa-devel] [freeipa PR#746][opened] KDC proxy URI records

Discussion:

MartinBasti

2017-04-27 16:11:57 UTC

URL: https://github.com/freeipa/freeipa/pull/746
Author: MartinBasti
Title: #746: KDC proxy URI records
Action: opened

PR body:
"""
Automatic creation of KDC proxy URI records

Enables creation of following KDC proxy URL records per each replica:

_kerberos.example.com. IN URI <prio> <weight>
krb5srv:M:kkdcp:https://ipaserver.example.com/KdcProxy"
_kpasswd.example.com. IN URI <prio> <weight> "krb5srv:M:kkdcp:https://ipaserver.example.com/KdcProxy"

Records are created for each replica in topology as KDC proxy is enabled
by default. (If KDC proxy is manually disabled this record will be
created anyway)

URI records for kadmin discovery are not created because FreeIPA doesn't
support kadmin.

See: https://k5wiki.kerberos.org/wiki/Projects/KDC_Discovery

https://pagure.io/freeipa/issue/6337

### TODO
[ ] Add URI records for 88/UDP, 88/TCP with higher priority to keep client ask directly KDC first
[ ] Add URI records for HTTPS only when kdc proxy is enabled on server (requires to update server roles with role attribute KDC proxy)
[ ] Fix https://pagure.io/freeipa/issue/6906 to allow enroll FreeIPA clients using HTTPS KDC proxy
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/746/head:pr746
git checkout pr746

MartinBasti

2017-04-27 16:12:01 UTC

Permalink

URL: https://github.com/freeipa/freeipa/pull/746
Title: #746: KDC proxy URI records

Label: +postponed

MartinBasti

2017-04-27 16:14:45 UTC

Permalink

URL: https://github.com/freeipa/freeipa/pull/746
Author: MartinBasti
Title: #746: KDC proxy URI records
Action: edited

Changed field: body
Original value:
"""
Automatic creation of KDC proxy URI records

Enables creation of following KDC proxy URL records per each replica:

_kerberos.example.com. IN URI <prio> <weight>
krb5srv:M:kkdcp:https://ipaserver.example.com/KdcProxy"
_kpasswd.example.com. IN URI <prio> <weight> "krb5srv:M:kkdcp:https://ipaserver.example.com/KdcProxy"

Records are created for each replica in topology as KDC proxy is enabled
by default. (If KDC proxy is manually disabled this record will be
created anyway)

URI records for kadmin discovery are not created because FreeIPA doesn't
support kadmin.

See: https://k5wiki.kerberos.org/wiki/Projects/KDC_Discovery

https://pagure.io/freeipa/issue/6337

### TODO
[ ] Add URI records for 88/UDP, 88/TCP with higher priority to keep client ask directly KDC first
[ ] Add URI records for HTTPS only when kdc proxy is enabled on server (requires to update server roles with role attribute KDC proxy)
[ ] Fix https://pagure.io/freeipa/issue/6906 to allow enroll FreeIPA clients using HTTPS KDC proxy
"""

MartinBasti

2017-04-28 15:09:33 UTC

Permalink

URL: https://github.com/freeipa/freeipa/pull/746
Author: MartinBasti
Title: #746: KDC proxy URI records
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/746/head:pr746
git checkout pr746

MartinBasti

2017-04-28 15:19:25 UTC

Permalink

MartinBasti

2017-04-28 15:23:33 UTC

Permalink

URL: https://github.com/freeipa/freeipa/pull/746
Author: MartinBasti
Title: #746: KDC proxy URI records
Action: edited

Changed field: body
Original value:
"""
Automatic creation of KDC proxy URI records

Enables creation of following KDC proxy URL records per each replica:
```
_kerberos.example.com. IN URI <prio> <weight> "krb5srv:M:kkdcp:https://ipaserver.example.com/KdcProxy"
_kpasswd.example.com. IN URI <prio> <weight> "krb5srv:M:kkdcp:https://ipaserver.example.com/KdcProxy"
```
Records are created for each replica in topology as KDC proxy is enabled
by default. (If KDC proxy is manually disabled this record will be
created anyway)

URI records for kadmin discovery are not created because FreeIPA doesn't
support kadmin.

See: https://k5wiki.kerberos.org/wiki/Projects/KDC_Discovery

https://pagure.io/freeipa/issue/6337

### TODO
- [ ] Add URI records for 88/UDP, 88/TCP with higher priority to keep client asking directly KDC first
- [ ] Add URI records for HTTPS only when kdc proxy is enabled on server (requires to update server roles with role attribute KDC proxy)
- [ ] Fix https://pagure.io/freeipa/issue/6906 to allow enroll FreeIPA clients using HTTPS KDC proxy
"""

simo5

2017-04-28 15:42:36 UTC

Permalink

URL: https://github.com/freeipa/freeipa/pull/746
Title: #746: KDC proxy URI records

simo5 commented:
"""
I am not entirely sure we want to care for the cse where an admin disables KDC Proxy in an automatic fashion; otherwise we would also need to check if TCP or UDP are disabled and change that too.
FreeIPA as a product enables TCP/UDP and proxy and an admin that wants to change this by manually changing configurations should also take care of manually changing the URI records in DNS I think. Just like they would need to change records in DNS if either TCP or UDP protocols were disabled.
However if it is overly simple to detect and update records based on enabled protocols I am not against doing so.
"""

See the full comment at https://github.com/freeipa/freeipa/pull/746#issuecomment-298032999

MartinBasti

2017-04-28 15:46:19 UTC

Permalink

URL: https://github.com/freeipa/freeipa/pull/746
Title: #746: KDC proxy URI records

MartinBasti commented:
"""
@simo5 we don't support manual changes of IPA system records, it is regenerated automatically, so any manual changes are overwritten when: new replica is added/replica is removed/user executes manually `ipa dns-update-system-records`
"""

See the full comment at https://github.com/freeipa/freeipa/pull/746#issuecomment-298034002

simo5

2017-04-28 16:00:10 UTC

Permalink

URL: https://github.com/freeipa/freeipa/pull/746
Title: #746: KDC proxy URI records

simo5 commented:
"""
@MartinBasti In this case we need a way to tell the system what are the priorities and which protocols are enabled, priorities are important too, admins need to be able to change them as they see fit.
"""

See the full comment at https://github.com/freeipa/freeipa/pull/746#issuecomment-298037434

MartinBasti

2017-04-28 16:06:46 UTC

Permalink

URL: https://github.com/freeipa/freeipa/pull/746
Title: #746: KDC proxy URI records

MartinBasti commented:
"""
@simo5 not really a 4.5 material then
"""

See the full comment at https://github.com/freeipa/freeipa/pull/746#issuecomment-298039065

MartinBasti

2017-04-28 16:14:16 UTC

Permalink

MartinBasti

2017-04-28 16:15:26 UTC

Permalink

URL: https://github.com/freeipa/freeipa/pull/746
Author: MartinBasti
Title: #746: KDC proxy URI records
Action: edited

Changed field: body
Original value:
"""
Automatic creation of KDC proxy URI records

Enables creation of following KDC proxy URL records per each replica:
```
_kerberos.example.com. IN URI <prio> <weight> "krb5srv:M:kkdcp:https://ipaserver.example.com/KdcProxy"
_kpasswd.example.com. IN URI <prio> <weight> "krb5srv:M:kkdcp:https://ipaserver.example.com/KdcProxy"
```
Records are created for each replica in topology as KDC proxy is enabled
by default. (If KDC proxy is manually disabled this record will be
created anyway)

URI records for kadmin discovery are not created because FreeIPA doesn't
support kadmin.

See: https://k5wiki.kerberos.org/wiki/Projects/KDC_Discovery

https://pagure.io/freeipa/issue/6337

### TODO
- [x] Add URI records for 88/UDP, 88/TCP with higher priority to keep client asking directly KDC first
- [ ] Add URI records for HTTPS only when kdc proxy is enabled on server (requires to update server roles with role attribute KDC proxy)
- [ ] Update release notes
- `Postponed`: Fix https://pagure.io/freeipa/issue/6906 to allow enroll FreeIPA clients using HTTPS KDC proxy
"""

simo5

2017-04-28 19:34:16 UTC

Permalink

URL: https://github.com/freeipa/freeipa/pull/746
Title: #746: KDC proxy URI records

simo5 commented:
"""
We can probably defer.
"""

See the full comment at https://github.com/freeipa/freeipa/pull/746#issuecomment-298087667