On Thu, 2017-04-27 at 15:56 +0200, Petr Vobornik wrote: > On 04/27/2017 02:19 PM, Christian Heimes wrote: > > On 2017-04-27 14:00, Martin Bašti wrote: > > > I would like to discuss consequences of adding kdc URI records: > > > > > > 1. basically all ipa clients enrolled using autodiscovery will > > > use > > > kdcproxy instead of KDC on port 88, because URI takes precedence > > > over > > > SRV in KRB5 client implementation. Are we ok with such a big > > > change? > > > > Does the client also prefer KKDCP if you give the Kerberos 88/UDP > > and > > 88/TCP URIs a higher priority than the KKDCP HTTPS URIs? > > > > > 2. probably client installer must be updated because currently > > > with > > > CA-full installation it is not working. > > > > > > ipa-client-install (with autodiscovery) failed on kinit, see > > > KRB5_TRACE > > > bellow that it refuses self signed certificate > > > > Actually it is not a self-sigend EE certificate. The validation > > message > > is bogus because FreeIPA TLS configuration is slightly buggy. We > > send > > the trust anchor (root CA) although a server should not include its > > trust anchor in its ServerHello message. OpenSSL detects an > > untrusted > > root CA in the ServerHello peer chain and emits the message. > > > > If I read the 600 lines (!) function > > ipaclient.install.client._install > > correctly, then ipa-client-install first attempts to negotiate a > > TGT and > > then installs the trust anchor in the global trust store. It should > > be > > enough to reverse the order and inject the trust anchor first. > > > > Christian > > > > By reading this, even if we do the change in client install, I'd > rather > not generate the DNS records in 4.5.1 release and rather make sure > that > everything works during 4.6 development. > > The reason is that there might also be something else not working and > it > is better to time test it + the fix would not fix older clients. > > If anybody wants to use/try it, then the records can be created > manually.
We need to ix clients regardless, o someone enabling it will find the same issues. Simo. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
