On 2017-04-27 16:16, Martin Bašti wrote: > > > On 27.04.2017 14:19, Christian Heimes wrote: >> On 2017-04-27 14:00, Martin Bašti wrote: >>> I would like to discuss consequences of adding kdc URI records: >>> >>> 1. basically all ipa clients enrolled using autodiscovery will use >>> kdcproxy instead of KDC on port 88, because URI takes precedence over >>> SRV in KRB5 client implementation. Are we ok with such a big change? >> Does the client also prefer KKDCP if you give the Kerberos 88/UDP and >> 88/TCP URIs a higher priority than the KKDCP HTTPS URIs? > > It should use 88/TCP, 88/UDP then, it can be a way how to avoid issues > with clients. Small correction: Kerberos should prefer UDP over TCP.
Christian -- Christian Heimes Senior Software Engineer, Identity Management and Platform Security Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric Shander
signature.asc
Description: OpenPGP digital signature
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code