Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

KDC proxy URI records #746

Closed
wants to merge 1 commit into from
Closed

KDC proxy URI records #746

wants to merge 1 commit into from

Conversation

MartinBasti
Copy link
Contributor

@MartinBasti MartinBasti commented Apr 27, 2017
edited

Automatic creation of KDC proxy URI records

Enables creation of following KDC proxy URL records per each replica:

_kerberos.example.com. IN URI <prio> <weight> "krb5srv:M:kkdcp:https://ipaserver.example.com/KdcProxy"
_kpasswd.example.com. IN URI <prio> <weight> "krb5srv:M:kkdcp:https://ipaserver.example.com/KdcProxy"

Records are created for each replica in topology as KDC proxy is enabled
by default. (If KDC proxy is manually disabled this record will be
created anyway)

URI records for kadmin discovery are not created because FreeIPA doesn't
support kadmin.

See: https://k5wiki.kerberos.org/wiki/Projects/KDC_Discovery

https://pagure.io/freeipa/issue/6337

TODO

  • Add URI records for 88/UDP, 88/TCP with higher priority to keep client asking directly KDC first
  • Add URI records for HTTPS only when kdc proxy is enabled on server (requires to update server roles with role attribute KDC proxy)
  • Allows to set priorities of IPA system records by admins
  • Update release notes
  • Postponed: Fix https://pagure.io/freeipa/issue/6906 to allow enroll FreeIPA clients using HTTPS KDC proxy

tiran
tiran reviewed Apr 28, 2017
View reviewed changes
ipaserver/dns_data_management.py

# URI records for KDCProxy must have lower priority than for KDC, clients must
# prefer to connect directly to KDC
IPA_KDCPROXY_PRIORITY_PENALIZATION = 10
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Don't be so shy, give it a big boost of 100 or even 1000. It makes it a bit easier to manually tune relevance later. Priority is a 16bit unsigned int, https://tools.ietf.org/html/rfc7553#section-4.2 .

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm shy because with DNS locations we use +50, and users may get lost when I increase it too much

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

And manual tune for IPA DNS records is currently unsupported, it will replace any custom change done by users during upgrade

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does the DNS location system add +50 for all off-site locations?

@simo5
Copy link
Contributor

simo5 commented Apr 28, 2017

I am not entirely sure we want to care for the cse where an admin disables KDC Proxy in an automatic fashion; otherwise we would also need to check if TCP or UDP are disabled and change that too.
FreeIPA as a product enables TCP/UDP and proxy and an admin that wants to change this by manually changing configurations should also take care of manually changing the URI records in DNS I think. Just like they would need to change records in DNS if either TCP or UDP protocols were disabled.
However if it is overly simple to detect and update records based on enabled protocols I am not against doing so.

@MartinBasti
Copy link
Contributor Author

@simo5 we don't support manual changes of IPA system records, it is regenerated automatically, so any manual changes are overwritten when: new replica is added/replica is removed/user executes manually ipa dns-update-system-records

@simo5
Copy link
Contributor

simo5 commented Apr 28, 2017

@MartinBasti In this case we need a way to tell the system what are the priorities and which protocols are enabled, priorities are important too, admins need to be able to change them as they see fit.

@MartinBasti
Copy link
Contributor Author

@simo5 not really a 4.5 material then

@MartinBasti
Automatic creation of KDC URI records
0c6e1bf 
Enables creation of following records per each replica:

KDC URI records:
_kerberos.example.com. IN URI <prio> <weight> "krb5srv:M:tcp:ipaserver.example.com"
_kpasswd.example.com. IN URI <prio> <weight> "krb5srv:M:tcp:ipaserver.example.com"
_kerberos.example.com. IN URI <prio> <weight> "krb5srv:M:udp:ipaserver.example.com"
_kpasswd.example.com. IN URI <prio> <weight> "krb5srv:M:udp:ipaserver.example.com"

KDC proxy URI records:
_kerberos.example.com. IN URI <prio>+10 <weight> "krb5srv:M:kkdcp:https://ipaserver.example.com/KdcProxy"
_kpasswd.example.com. IN URI <prio>+10 <weight> "krb5srv:M:kkdcp:https://ipaserver.example.com/KdcProxy"

URI records for kadmin discovery are not created because FreeIPA doesn't
support kadmin.

KDC URI records (tcp, udp) must have higher priority than KDC proxy
(https) to prefer direct communication with KDC. Also there is a bug
that prevents ipa-client-install to enroll client with using only KDC
proxy in some cases (see https://pagure.io/freeipa/issue/6906).

All records are created for each replica in topology as KDC proxy is enabled
by default. (Please note if KDC proxy is manually disabled KDC Proxy records will be
created anyway)

See: https://k5wiki.kerberos.org/wiki/Projects/KDC_Discovery

https://pagure.io/freeipa/issue/6337
@simo5
Copy link
Contributor

simo5 commented Apr 28, 2017

We can probably defer.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tiran tiran tiran left review comments

Assignees
No one assigned
Labels
postponed
Projects
None yet
Milestone
No milestone
3 participants
@MartinBasti @simo5 @tiran