908323 – Turn off rdns by default in krb5

Bug 908323 - Turn off rdns by default in krb5

Summary: Turn off rdns by default in krb5

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	krb5
Sub Component:
Version:	rawhide
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Nalin Dahyabhai
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	908324 949853 1286211
TreeView+	depends on / blocked

Reported:	2013-02-06 12:40 UTC by Stef Walter
Modified:	2015-11-27 12:33 UTC (History)
CC List:	4 users (show)
Fixed In Version:	krb5-1.11-2.fc19
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Clones:	908324 (view as bug list)
Environment:
Last Closed:	2013-02-08 15:57:23 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Stef Walter 2013-02-06 12:40:43 UTC

krb5 uses reverse DNS records for creating service principals from host names. This is non-standard behavior. Apparently most other clients do not do this, and the RFC 4120 does not specify this behavior.

Being the only client that uses PTR records for this purposes causes problems, as unfortunately realms often have missing or incorrect information present in PTR records.

We should change the builtin default behavior to match other clients. Upstream is considering such a change:

http://mailman.mit.edu/pipermail/kerberos/2011-July/017313.html

Because this represents a change in defaults, we should make this happen in RHEL 7 (rather than a point release) and Fedora 19.

The previous behavior would still be available by changing the krb5.conf.

This is related to: https://fedoraproject.org/wiki/Features/LessBrittleKerberos

Comment 1 Nalin Dahyabhai 2013-02-08 15:57:23 UTC

Changing the setting in /etc/krb5.conf in krb5-1.11-2.fc19.  The hardwired default remains unchanged.

Comment 2 Stef Walter 2013-02-11 08:21:31 UTC

Part of the work in Fedora 18 was to allow use of kerberos wîthout a krb5.conf. 

Are you sure we want to have our kerberos behavior dictated by always having a krb5.conf present? Or perhaps for Fedora 19 we could change the default in a file, but in RHEL 7 we actually change the hardwired default?

What do you think?

Comment 3 Simo Sorce 2013-02-11 16:31:01 UTC

Stef,
we discussed the default with upstream.
The long term plan there is to make most of resolution eventually go through the KDC, so that clients configuration is not so overwhelmingly fragile.

In order to maintain backwards compatibility upstream suggest to not change the actual internal default, but only change the default configuration file.

This way existing deployments that rely on PTR record resolution and distribute krb5.conf files via things like puppet won't be broken.

I would argue preserving the classic behavior in RHEL7 is probably more important than Fedora 19.

Comment 4 Stef Walter 2013-02-12 07:49:35 UTC

The main thing we don't achieve by this is fixing the RDNS problems for users who upgrade their systems. It doesn't seem possible to solve both:

 * Keep compatibility for existing deployments that rely on PTR records
 * Unbreaking kerberos for upgraded Fedora installs on invalid or non-existent
   PTR records
   
But I'm fine with the trade-off upstream has chosen. Perhaps we might revisit this later, once upstream has worked done their KDC work. Thanks for explaining.

Note You need to log in before you can comment on or make changes to this bug.