Bug 908323

Summary: Turn off rdns by default in krb5
Product: [Fedora] Fedora Reporter: Stef Walter <stefw>
Component: krb5Assignee: Nalin Dahyabhai <nalin>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: dpal, nalin, nathaniel, ssorce
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: krb5-1.11-2.fc19 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 908324 (view as bug list) Environment:
Last Closed: 2013-02-08 15:57:23 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 908324, 949853, 1286211    

Description Stef Walter 2013-02-06 12:40:43 UTC 
krb5 uses reverse DNS records for creating service principals from host names. This is non-standard behavior. Apparently most other clients do not do this, and the RFC 4120 does not specify this behavior.

Being the only client that uses PTR records for this purposes causes problems, as unfortunately realms often have missing or incorrect information present in PTR records.

We should change the builtin default behavior to match other clients. Upstream is considering such a change:

http://mailman.mit.edu/pipermail/kerberos/2011-July/017313.html

Because this represents a change in defaults, we should make this happen in RHEL 7 (rather than a point release) and Fedora 19.

The previous behavior would still be available by changing the krb5.conf.

This is related to: https://fedoraproject.org/wiki/Features/LessBrittleKerberos
Comment 1 Nalin Dahyabhai 2013-02-08 15:57:23 UTC 
Changing the setting in /etc/krb5.conf in krb5-1.11-2.fc19.  The hardwired default remains unchanged.
Comment 2 Stef Walter 2013-02-11 08:21:31 UTC 
Part of the work in Fedora 18 was to allow use of kerberos wîthout a krb5.conf. 

Are you sure we want to have our kerberos behavior dictated by always having a krb5.conf present? Or perhaps for Fedora 19 we could change the default in a file, but in RHEL 7 we actually change the hardwired default?

What do you think?
Comment 3 Simo Sorce 2013-02-11 16:31:01 UTC 
Stef,
we discussed the default with upstream.
The long term plan there is to make most of resolution eventually go through the KDC, so that clients configuration is not so overwhelmingly fragile.

In order to maintain backwards compatibility upstream suggest to not change the actual internal default, but only change the default configuration file.

This way existing deployments that rely on PTR record resolution and distribute krb5.conf files via things like puppet won't be broken.

I would argue preserving the classic behavior in RHEL7 is probably more important than Fedora 19.
Comment 4 Stef Walter 2013-02-12 07:49:35 UTC 
The main thing we don't achieve by this is fixing the RDNS problems for users who upgrade their systems. It doesn't seem possible to solve both:

 * Keep compatibility for existing deployments that rely on PTR records
 * Unbreaking kerberos for upgraded Fedora installs on invalid or non-existent
   PTR records
   
But I'm fine with the trade-off upstream has chosen. Perhaps we might revisit this later, once upstream has worked done their KDC work. Thanks for explaining.