Bug 908323 - Turn off rdns by default in krb5
Turn off rdns by default in krb5
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: krb5 (Show other bugs)
rawhide
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Nalin Dahyabhai
Fedora Extras Quality Assurance
:
Depends On:
Blocks: 908324 949853 1286211
  Show dependency treegraph
 
Reported: 2013-02-06 07:40 EST by Stef Walter
Modified: 2015-11-27 07:33 EST (History)
4 users (show)

See Also:
Fixed In Version: krb5-1.11-2.fc19
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 908324 (view as bug list)
Environment:
Last Closed: 2013-02-08 10:57:23 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Stef Walter 2013-02-06 07:40:43 EST
krb5 uses reverse DNS records for creating service principals from host names. This is non-standard behavior. Apparently most other clients do not do this, and the RFC 4120 does not specify this behavior.

Being the only client that uses PTR records for this purposes causes problems, as unfortunately realms often have missing or incorrect information present in PTR records.

We should change the builtin default behavior to match other clients. Upstream is considering such a change:

http://mailman.mit.edu/pipermail/kerberos/2011-July/017313.html

Because this represents a change in defaults, we should make this happen in RHEL 7 (rather than a point release) and Fedora 19.

The previous behavior would still be available by changing the krb5.conf.

This is related to: https://fedoraproject.org/wiki/Features/LessBrittleKerberos
Comment 1 Nalin Dahyabhai 2013-02-08 10:57:23 EST
Changing the setting in /etc/krb5.conf in krb5-1.11-2.fc19.  The hardwired default remains unchanged.
Comment 2 Stef Walter 2013-02-11 03:21:31 EST
Part of the work in Fedora 18 was to allow use of kerberos wîthout a krb5.conf. 

Are you sure we want to have our kerberos behavior dictated by always having a krb5.conf present? Or perhaps for Fedora 19 we could change the default in a file, but in RHEL 7 we actually change the hardwired default?

What do you think?
Comment 3 Simo Sorce 2013-02-11 11:31:01 EST
Stef,
we discussed the default with upstream.
The long term plan there is to make most of resolution eventually go through the KDC, so that clients configuration is not so overwhelmingly fragile.

In order to maintain backwards compatibility upstream suggest to not change the actual internal default, but only change the default configuration file.

This way existing deployments that rely on PTR record resolution and distribute krb5.conf files via things like puppet won't be broken.

I would argue preserving the classic behavior in RHEL7 is probably more important than Fedora 19.
Comment 4 Stef Walter 2013-02-12 02:49:35 EST
The main thing we don't achieve by this is fixing the RDNS problems for users who upgrade their systems. It doesn't seem possible to solve both:

 * Keep compatibility for existing deployments that rely on PTR records
 * Unbreaking kerberos for upgraded Fedora installs on invalid or non-existent
   PTR records
   
But I'm fine with the trade-off upstream has chosen. Perhaps we might revisit this later, once upstream has worked done their KDC work. Thanks for explaining.

Note You need to log in before you can comment on or make changes to this bug.