Date: | Sat, 13 Feb 2021 13:23:42 +0200 |
From: | "Дилян Палаузов" <dilyan.palauzov@aegee.org> |
Subject: | HTTPS client proxy zero configuration |
To: | "krb5-bugs" <krb5-bugs@mit.edu> |
Hello,
https://web.mit.edu/kerberos/krb5-current/doc/admin/realm_config.html#kdc-discovery
states that the Kerberos clients can discover KDC using URI DNS RR. In
particular that it can use by default - without additional client side
configuration - HTTPS proxy to get a ticket. As example it shows the
line:
_kerberos.EXAMPLE.COM URI 30 1 krb5srv::kkdcp:https://proxy:89/auth
where kkdcp means the MS-KKDCP type (I do not know what kkdcp is).
https://web.mit.edu/kerberos/www/krb5-latest/doc/admin/https.html#configuring-the-clients
says:
“““
Configure the client to access the KDC and kpasswd service by
specifying their locations in its krb5.conf file in the form of HTTPS
URLs for the proxy server:
kdc = https://server.fqdn/KdcProxy
kpasswd_server = https://server.fqdn/KdcProxy
If the proxy and client are properly configured, client commands such
as kinit, kvno, and kpasswd should all function normally.
”””
• Please amend the “client configuration” to state, that with URI+HTTPS
records no explicit client configuration is necessary for the HTTPS
proxy.
Greetings
Дилян
https://web.mit.edu/kerberos/krb5-current/doc/admin/realm_config.html#kdc-discovery
states that the Kerberos clients can discover KDC using URI DNS RR. In
particular that it can use by default - without additional client side
configuration - HTTPS proxy to get a ticket. As example it shows the
line:
_kerberos.EXAMPLE.COM URI 30 1 krb5srv::kkdcp:https://proxy:89/auth
where kkdcp means the MS-KKDCP type (I do not know what kkdcp is).
https://web.mit.edu/kerberos/www/krb5-latest/doc/admin/https.html#configuring-the-clients
says:
“““
Configure the client to access the KDC and kpasswd service by
specifying their locations in its krb5.conf file in the form of HTTPS
URLs for the proxy server:
kdc = https://server.fqdn/KdcProxy
kpasswd_server = https://server.fqdn/KdcProxy
If the proxy and client are properly configured, client commands such
as kinit, kvno, and kpasswd should all function normally.
”””
• Please amend the “client configuration” to state, that with URI+HTTPS
records no explicit client configuration is necessary for the HTTPS
proxy.
Greetings
Дилян