Skip Menu |
 

Date: Sat, 13 Feb 2021 13:23:42 +0200
From: "Дилян Палаузов" <dilyan.palauzov@aegee.org>
Subject: HTTPS client proxy zero configuration
To: "krb5-bugs" <krb5-bugs@mit.edu>
Hello,

https://web.mit.edu/kerberos/krb5-current/doc/admin/realm_config.html#kdc-discovery
states that the Kerberos clients can discover KDC using URI DNS RR. In
particular that it can use by default - without additional client side
configuration - HTTPS proxy to get a ticket. As example it shows the
line:

_kerberos.EXAMPLE.COM URI 30 1 krb5srv::kkdcp:https://proxy:89/auth

where kkdcp means the MS-KKDCP type (I do not know what kkdcp is).


https://web.mit.edu/kerberos/www/krb5-latest/doc/admin/https.html#configuring-the-clients
says:
“““
Configure the client to access the KDC and kpasswd service by
specifying their locations in its krb5.conf file in the form of HTTPS
URLs for the proxy server:

kdc = https://server.fqdn/KdcProxy
kpasswd_server = https://server.fqdn/KdcProxy

If the proxy and client are properly configured, client commands such
as kinit, kvno, and kpasswd should all function normally.
”””

• Please amend the “client configuration” to state, that with URI+HTTPS
records no explicit client configuration is necessary for the HTTPS
proxy.

Greetings
Дилян