#2515 Set 'dns_lookup_kdc = true' during ipa-adtrust-install or earlier
Closed: Fixed None Opened 9 years ago by sbose.

When working with trusted domains it is cumbersome to add a krb5.conf entry for each domain. It would be much easier if dns_lookup_kdc can be set to true by ipa-adtrust-install or even by ipa-server-install.


This would revert changes made for ticket #931.

We would not be able to do this at ipa-adtrust-install because any enrolled clients would already have this set to false.

Or is this for the server only?

Replying to [comment:5 rcritten]:

This would revert changes made for ticket #931.

We would not be able to do this at ipa-adtrust-install because any enrolled clients would already have this set to false.

Or is this for the server only?

This is for the server only, clients should always have dns lookups set to true.

However on the server it is also not a problem, as thanks to sssd and the default setup we have lookups to our own realm are shortcircuited thorugh the locatore plugin.

So enabling DNS options to handle trusted domains should be safe, imo.

I'm not so sure it will work in non-DNS environments.

What I did is this:
1. Install IPA on two systems, one configured with DNS and one not. pinto has no DNS, tove has DNS.
2. On pinto set the resolver to tove and switch dns_lookup_kdc to true
3. [pinto] $ ipa user-show admin
ipa: ERROR: Kerberos error: Service 'HTTP@tove.example.com' not found in Kerberos database/

sssd still seems to be doing the right thing, though.

Sorry, wrong ticket number - this patch is irrelevant to this ticket.

I found issues with 'dns_lookup_kdc = true' when sssd is not running.

  1. Stop sssd
  2. Set dns_lookup_kdc = true in /etc/krb5.conf
  3. try to restart named

I'm currently not sure why this happens. While looking at the MIT Kerberos source code I would say that the lookup order is locator plugins, krb5.conf, DNS. And strace suggest that after the locator plugin didn't return an answer a DNS lookup follows, which fails, because resolve.conf points to the local host.

The strange this is that the KDC logs show successful AS_REQ and TGS_REQ for the DNS principal.

It turns out that the kerberos libraries want to find the master KDC in some cases. The ssd locator plugin can return is and a DNS server can return it, if the _kerberos-master.[_tcp|_udp] service record is configured. For /etc/krb5.conf master_kdc in the realm section must be set. If this is set I do not see any issues anymore. Maybe this would also fix the issue Rob was seeing.

master: [[br]]
d0f672c[[br]]
0d31833[[br]]

ipa-3-0:[[br]]
86e16b9[[br]]
6319660

Metadata Update from @sbose:
- Issue assigned to sbose
- Issue set to the milestone: FreeIPA 3.0 RC1

4 years ago

Login to comment on this ticket.

Metadata