RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1914618 - missing _kerberos._udp.dc._msdcs in Windows AD when integrated with IDM
Summary: missing _kerberos._udp.dc._msdcs in Windows AD when integrated with IDM
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.8
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: rc
: ---
Assignee: Florence Blanc-Renaud
QA Contact: ipa-qe
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-01-10 09:49 UTC by kevin
Modified: 2023-09-15 00:58 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-01-29 08:56:17 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description kevin 2021-01-10 09:49:21 UTC 
Description of problem:

Hello,

I've been working with idm ad integration for some time now.
But one thing has always confused me.

According our official RHEL document mention,we must check the dns to see if the dns records resolve.

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/windows_integration_guide/trust-during

dig +short -t SRV _kerberos._udp.idm.example.com.
dig +short -t SRV _ldap._tcp.idm.example.com.
dig +short -t TXT _kerberos.idm.example.com.
dig +short -t SRV _ldap._tcp.dc._msdcs.ad.example.com.
dig +short -t SRV _kerberos._udp.dc._msdcs.ad.example.com.

The last one will always fail because by default ms-ad does not generate
such a record.
However there is always a tcp record.
dig +short -t SRV _kerberos._tcp.dc._msdcs.ad.example.com.

Can freeipa work with the tcp record as well, or is it vital that you
create a udp record for freeipa to work properly?
Comment 2 Alexander Bokovoy 2021-01-10 12:49:28 UTC 
The process is much more than just verifying DNS SRV records. It includes AD DC discovery according to Active Directory specifications.

This discovery process actually happens on *both* sides -- AD DCs will do the same discovery against IPA trust controller when asked to verify trust.

This is covered in the [MS-ADTS] specification, section 6.3.6, Locating Domain Controller, which has two parts:

1. Locating Domain Controller using DNS-based discovery:
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/7fcdce70-5205-44d6-9c3a-260e616a2f04

2. Locating Domain Controller using NetbIOS-based discovery:
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/bbd104fb-7d78-44d5-9e50-48ea120a0d91

Perhaps, more commonly this described in section 6.3 itself:
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/8ebcf782-87fd-4dc3-8585-1301569dfe4f

Both approaches require communication with the target domain controller using what is called 'LDAP ping' or 'Mailslot ping' (in the NetBIOS-based discovery). The backend operation is the same, just the protocol to send 'ping' is different. DNS-based discovery sends it over LDAP UDP:
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/59614181-6ddd-4f46-8603-5e716737c99a

Microsoft also has the troubleshooting article which digests this information in more user-friendly way:
https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/how-domain-controllers-are-located

In conclusion, there is more to verify than just SRV records and the way it is done also depends on whether firewall is permitting the access. We have to adhere to AD requirements, so it is all described in AD documentation and not in RHEL IdM documentation.

Now, to your specific question about _kerberos._udp.dc._msdcs records. Depending on the type of an AD DC, this record can be registered or can be missing. Non-RODC domain controllers should have UDP SRV record but practice show that many administrators omit it -- a reason is that PAC records in the Kerberos tickets are larger than what UDP transport can take and thus most likely a retransmission will be required using TCP transport.

This is covered in [MS-ADTS] 6.3.2.3 'SRV Records': https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/c1987d42-1847-4cc9-acf7-aab2136d6952. 

On IPA side, we configure MIT Kerberos to always try TCP transport instead of UDP. We set

  udp_preference_limit = 0

in /etc/krb5.conf to disable UDP transport in Kerberos protocol and use TCP directly. If you have clients that do not have this setting in krb5.conf, they'd try UDP first and thus would require UDP SRV records to exist.
Comment 3 Alexander Bokovoy 2021-01-28 06:41:05 UTC 
Kevin, does my comment 2 address your questions?
I am considering to close this bug because there is nothing actionable left for us.
Comment 4 kevin 2021-01-29 08:44:46 UTC 
CLOSED
Comment 5 kevin 2021-01-29 08:48:22 UTC 
I want to close this bug, but I don't know where can modify the status to close
Comment 6 Alexander Bokovoy 2021-01-29 08:56:17 UTC 
Thanks. Closing.
Comment 7 Red Hat Bugzilla 2023-09-15 00:58:01 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 500 days
Note You need to log in before you can comment on or make changes to this bug.