[16711] in Kerberos-V5-bugs

home help back first fref pref prev next nref lref last post

[krbdev.mit.edu #8986] HTTPS client proxy zero configuration

daemon@ATHENA.MIT.EDU (daemon@ATHENA.MIT.EDU)
Sat Feb 13 10:38:02 2021

From: "=?UTF-8?B?w5DClMOQwrjDkMK7w5HCj8OQwr0gw5DCn8OQwrDDkMK7w5DCsMORwoPDkMK3?=
	=?UTF-8?B?w5DCvsOQwrI=?= via RT" <rt-comment@krbdev.mit.edu>
In-Reply-To: <9710ebe7130653041a0e884bd3df33ed6aee7ef5.camel@aegee.org>
Message-ID: <rt-4.4.4-101591-1613230670-820.8986-4-0@mit.edu>
To: "AdminCc of krbdev.mit.edu Ticket #8986":;
Date: Sat, 13 Feb 2021 10:37:50 -0500
MIME-Version: 1.0
Reply-To: rt-comment@krbdev.mit.edu
Content-Type: text/plain; charset="utf-8"
Errors-To: krb5-bugs-bounces@mit.edu
Content-Transfer-Encoding: 8bit


Sat Feb 13 10:37:50 2021: Request 8986 was acted upon.
 Transaction: Ticket created by dilyan.palauzov@aegee.org
       Queue: krb5
     Subject: HTTPS client proxy zero configuration
       Owner: Nobody
  Requestors: dilyan.palauzov@aegee.org
      Status: new
 Ticket <URL: https://krbdev.mit.edu/rt/Ticket/Display.html?id=8986 >


Hello,

https://web.mit.edu/kerberos/krb5-current/doc/admin/realm_config.html#kdc-discovery
states that the Kerberos clients can discover KDC using URI DNS RR.  In
particular that it can use by default - without additional client side
configuration - HTTPS proxy to get a ticket.  As example it shows the
line:

_kerberos.EXAMPLE.COM URI  30 1 krb5srv::kkdcp:https://proxy:89/auth

where kkdcp means the MS-KKDCP type (I do not know what kkdcp is).


https://web.mit.edu/kerberos/www/krb5-latest/doc/admin/https.html#configuring-the-clients
says:
“““
Configure the client to access the KDC and kpasswd service by
specifying their locations in its krb5.conf file in the form of HTTPS
URLs for the proxy server:

kdc = https://server.fqdn/KdcProxy
kpasswd_server = https://server.fqdn/KdcProxy

If the proxy and client are properly configured, client commands such
as kinit, kvno, and kpasswd should all function normally.
”””

• Please amend the “client configuration” to state, that with URI+HTTPS
records no explicit client configuration is necessary for the HTTPS
proxy.

Greetings
  Дилян


_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs
home help back first fref pref prev next nref lref last post