[Freeipa-devel] KDC proxy URI records
Simo Sorce
simo at redhat.com
Wed Apr 26 18:41:47 UTC 2017
On Wed, 2017-04-26 at 12:57 +0200, Martin Bašti wrote:
>
> On 25.04.2017 16:57, Martin Bašti wrote:
> > Hello all,
> >
> > I'm going to implement automatic URI records for kdc proxy and I'd
> > like to clarify if following URI records are the right one.
> >
> >
> > _kerberos-adm.example.com. IN URI <prio> 0
> > "krb5srv:M:kkdcp:https://ipaserver.example.com/KdcProxy"
> >
> > _krb5kdc.example.com. IN URI <prio> 0
> > "krb5srv:M:kkdcp:https://ipaserver.example.com/KdcProxy"
> >
> > _kpasswd.example.com. IN URI <prio> 0
> > "krb5srv:M:kkdcp:https://ipaserver.example.com/KdcProxy"
> >
> >
> > I assume we want to use "kkdcp" and "https", and "M" flag as all IPA
> > servers are masters, please confirm.
> >
> >
> > Sources:
> >
> > https://k5wiki.kerberos.org/wiki/Projects/KDC_Discovery
> >
> > https://tools.ietf.org/id/draft-mccallum-kitten-krb-service-discovery-02.txt
> >
> >
> >
> > Thank you
> >
>
> I found out that wiki page differs from the RFC draft and from the
> source in git
>
> There is "_kerberos.REALM" record instead of "_krb5kdc.REALM"
>
>
> And I'm not sure if _kerberos-adm should be included as we don't really
> support kadmin.
We shouldn't.
Simo.
--
Simo Sorce
Sr. Principal Software Engineer
Red Hat, Inc
More information about the Freeipa-devel
mailing list