[NOTICE] FQDN is needed for MIT KDC admin_server_host value

Mon, 06 Nov 2017 09:09:07 -0800 

Team…

I wanted to alert to you a change that was added to the trunk via AMBARI-22293 
(https://issues.apache.org/jira/browse/AMBARI-22293).    As of this change, 
when enabling Kerberos using either the existing MIT KDC or IPA server options, 
it is required that the kerberos_env/admin_server_host value is set to the 
fully qualified domain name (FQDN) of the host were the KDC administrator 
service is.

Whether you are using this version or any previous version, the FQDN should be 
used for this value; however, before the patch for AMBARI-22293 was committed, 
a short name or IP address worked for the MIT KDC option (but probably not for 
the IPA option).

The reason the FDQN is now needed is due to the new way we will be 
authenticating with the MIT KDC when calling kdamin to manage principals.  
Historically we called kadmin and passed in the username and password for 
authentication.  The password was supplied to the command via a pipe to STDIN 
when executing the call.  This was relatively slow since this needed to be done 
for each call to kadmin and I believe may have been a cause of authentication 
failures under heavy load.

As of this patch, authenticating with kdamin is done using a Kerberos ticket.  
Therefore, at the beginning of a session, kinit is called. The username and 
password are passed in as we previously did for kinit, but this is now needed 
to be done once per session.  For example, a session may be as short as

                kinit
                kadmin
                kdestroy

or as long as

                kinit
                kadmin
                kadmin
…
                kadmin
                kdestroy

depending on what the operation is doing.

For the MIT KDC’s kadmin server, we need to provide a service ticket for the 
kadmin admin server.  To obtain the service ticket while authenticating, we 
need to issue a kinit call like

                kinit -S kadmin/<KDC_FQDN> <ADMIN_PRINCIPAL >

The KDC_FQDN value is taken from the kerberos_env/admin_server_host value. This 
is why it must be a FQDN.

I hope this change does not cause too much inconvenience, especially during 
upgrade scenarios; but I believe that it is a better model and helps with code 
reuse for KDC server implementations (like FreeIPA).

Thanks,
Rob

Reply via email to