Bug 1109919

Summary: Backport https support into libkrb5
Product: Red Hat Enterprise Linux 7 Reporter: Nalin Dahyabhai <nalin>
Component: krb5Assignee: Nalin Dahyabhai <nalin>
Status: CLOSED ERRATA QA Contact: Patrik Kis <pkis>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.0CC: mkosek, npmccallum, pkis, rmainz
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: krb5-1.12.2-7.el7 Doc Type: Enhancement
Doc Text:
Feature: Support for contacting KDCs and kpasswd servers via HTTPS proxies which implement the KKDCP protocol has been backported. Reason: The Kerberos client libraries could not communicate with KDCs or kpasswd servers in environments where realm services were only accessible via a KKDCP proxy. Result: When a realm's configuration specifies a realm's KDC's or kpasswd server's location in the form of an HTTPS URI, the Kerberos client library will now use KKDCP to communicate with the server.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2015-03-05 10:00:56 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Nalin Dahyabhai 2014-06-16 15:45:28 UTC 
Description of problem:
We'd like for Kerberos clients to be able to access KDCs and password changing services over https proxies, via the [MS-KKDCP] support that's planned for krb5 1.13.  If we don't end up jumping to that in the next update, we're going to want to backport it.

Version-Release number of selected component (if applicable):
krb5-1.11.3-49.el7

How reproducible:
Always

Steps to Reproduce:
1. Stand up a Windows Server with the KDC Proxy Service running, or a web server with python kdcproxy.
2. Configure /etc/krb5.conf with 'kdc' and 'kpasswd_server' entries only in the form of https URLs and with the server's CA as a trusted anchor, either in the default locations or via explicit configuration.
3. Attempt each of 'kinit' (AS request), 'kvno' (TGS request), and 'kpasswd' (kpasswd request).

Actual results:
Each fails because the library doesn't know how to even parse HTTPS URLs, much less use them.

Expected results:
Each should succeed.
Comment 5 errata-xmlrpc 2015-03-05 10:00:56 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0439.html