[Freeipa-devel] [PATCH] Set master_kdc and dns_lookup_kdc to true

Thu Sep 20 18:04:45 UTC 2012

Sumit Bose wrote:
> On Sat, Sep 15, 2012 at 06:14:56PM -0400, Simo Sorce wrote:
>> On Sat, 2012-09-15 at 22:02 +0200, Sumit Bose wrote:
>>> On Fri, Sep 14, 2012 at 05:57:23PM -0400, Rob Crittenden wrote:
>>>> Sumit Bose wrote:
>>>>> Hi,
>>>>>
>>>>> those two patches should fix
>>>>> https://fedorahosted.org/freeipa/ticket/2515 . The first makes the
>>>>> needed change for fresh installations. The second adds the changes
>>>>> during ipa-adtrust-install if needed. I prefer to do the changes here
>>>>> instead of during updates, because during updates it is not easy to see
>>>>> that the Kerberos configuration was changes.
>>>>>
>>>>
>>>> I guess it is good form to update the RHEL 4 client installer but
>>>> will anyone test it?
>>>
>>> I think it would be confusion if the RHEL4 client installer has
>>> different information than the default one.
>>>
>>>>
>>>> Is master_kdc supported in the MIT kfw version (krb5.ini)?
>>>
>>> For me it looks that the parse is build from the same sources.
>>>
>>>>
>>>> This suffers from the problem Simo envisioned with ticket 931. If
>>>> the /etc/hosts entry is removed then DNS will not start. We add an
>>>> entry during installation, so this may be less of an issue.
>>>
>>> If the /etc/hosts entry is removed DNS  will not start in either case.
>>>
>>> I think the solution to #931 is setting the master_kdc option. You can
>>> easily reproduce startup problems if you set 'dns_lookup_kdc = true',
>>> stop sssd and try to restart named. This will run into a timeout and
>>> bind will not start. The reason is that besides a KDC the Kerberos
>>> client libraries also try to look up the master KDC (but it seems to be
>>> ok if the lookup finally fails). If sssd is running the locator plugin
>>> will return the current KDC as master. If it is not running, as in the
>>> test described above, /etc/krb5.conf is used next. If it does not have a
>>> master_kdc entry and 'dns_lookup_kdc = false' there is no other source
>>> for the master KDC and the client libraries continue with normal
>>> processing. If master_kdc is not set but 'dns_lookup_kdc = true' then a
>>> DNS lookup is tried, which will run into a timeout since the DNS server
>>> is not started yet. But if master_kdc is set in krb5.conf the client
>>> libraries will just use this value and will not try any DNS lookup,
>>> independently of the setting of dns_lookup_kdc.
>>>
>>> As a side note. Since we run named as user named I wonder if it would be
>>> possible to use SASL EXTERNAL auth instead of GSSAPI to bind to the LDAP
>>> server. If this would work safe and secure there would be no
>>> dependencies to the KDC during the startup of bind?
>>
>> The reason why we use gssapi is so that all operations performed by bind
>> happen as the DNS/fqdn user, and we can use ACIs targeted at the bind
>> process. In order to use SASL EXTERNAL we would need the bind process to
>> change euid to an unprivileged user that we then need to map to some
>> specific user.
>
> As said above named is already run as the unprivileged user named.
>
>>
>> In general krb5kdc should always start before named, and should not
>> depend on DNS resolution. If krb5kdc is started first bind should have
>> no issues. The only proble is if gssapi libraries try to use DNS
>> resolution, but we should have that solved by using the krb locator
>> plugin.
>
> yes, and even if the locator plugin isn't available setting master_kdc
> will make sure we never fall back to DNS for the local realm.
>
> Just to make sure, I do not want to say that the authentication type
> used by named must be changes to solve potential issues. Setting
> master_kdc will solve them.

Ok, I'm satisfied. ACK, pushed both to master and ipa-3-0.

rob