Compatibilty between mixed kerberos release (KDC 1.12 client 1.10).

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

Compatibilty between mixed kerberos release (KDC 1.12 client 1.10).

Todd Grayson
Hi,

Is there any general wisdom out there about mixed KDC/Client versions?  Are
there concerns around allowing environments drift to where a KDC would be
on a later release than the clients?

There seems to be a change in default behavior in the 1.12+ where renewable
tickets must be specifically requested (RHEL 7 is including the 1.12 as the
tested krb release in platform).

Have there been any other gotcha's that folks have run into that are worthy
of note?

For example a mixed OS environment where centOS 7 is the KDC, at 1.12, and
the clients are all centOS 6.x land locked at the 1.10x release?

Thanks in advance!



--
Todd Grayson
Customer Operations Engineering
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Compatibilty between mixed kerberos release (KDC 1.12 client 1.10).

Ken Hornstein
>Is there any general wisdom out there about mixed KDC/Client versions?  Are
>there concerns around allowing environments drift to where a KDC would be
>on a later release than the clients?

FWIW, we run a whole bunch of crazy versions of Kerberos, and generally
there is not an interoperability problem; the protocol is pretty well
specified and in general everything works fine at that level.

>There seems to be a change in default behavior in the 1.12+ where renewable
>tickets must be specifically requested (RHEL 7 is including the 1.12 as the
>tested krb release in platform).

This is more of a problem, but I don't consider this an interoperability
issue.

--Ken
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Compatibilty between mixed kerberos release (KDC 1.12 client 1.10).

Benjamin Kaduk-2
On Wed, 29 Jul 2015, Ken Hornstein wrote:

> >Is there any general wisdom out there about mixed KDC/Client versions?  Are
> >there concerns around allowing environments drift to where a KDC would be
> >on a later release than the clients?
>
> FWIW, we run a whole bunch of crazy versions of Kerberos, and generally
> there is not an interoperability problem; the protocol is pretty well
> specified and in general everything works fine at that level.

Yes; it is expected that any implementation of the kerberos protocol can
successfully talk to a peer running a different implementation, including
the case where the peers differ only by software version and have a common
lineage.

> >There seems to be a change in default behavior in the 1.12+ where renewable
> >tickets must be specifically requested (RHEL 7 is including the 1.12 as the
> >tested krb release in platform).
>
> This is more of a problem, but I don't consider this an interoperability
> issue.

That sort-of calls to mind
https://github.com/krb5/krb5/commit/4f551a7ec126c52ee1f8fea4c3954015b70987bd,
and makes me wonder what the actual lifetimes in the request are (and the
max permitted by the KDC).

-Ben
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Compatibilty between mixed kerberos release (KDC 1.12 client 1.10).

Todd Grayson
In reply to this post by Ken Hornstein
Actually the krbtgt got generated without a renewable life value (was at
0), missed this during the troubleshooting, so nothing other than the need
to express renew lifetime properly in the configuration.  Thanks tho for
the feedback.

On Wed, Jul 29, 2015 at 8:06 PM, Ken Hornstein <[hidden email]>
wrote:

> >Is there any general wisdom out there about mixed KDC/Client versions?
> Are
> >there concerns around allowing environments drift to where a KDC would be
> >on a later release than the clients?
>
> FWIW, we run a whole bunch of crazy versions of Kerberos, and generally
> there is not an interoperability problem; the protocol is pretty well
> specified and in general everything works fine at that level.
>
> >There seems to be a change in default behavior in the 1.12+ where
> renewable
> >tickets must be specifically requested (RHEL 7 is including the 1.12 as
> the
> >tested krb release in platform).
>
> This is more of a problem, but I don't consider this an interoperability
> issue.
>
> --Ken
> ________________________________________________
> Kerberos mailing list           [hidden email]
> https://mailman.mit.edu/mailman/listinfo/kerberos
>



--
Todd Grayson
Customer Operations Engineering
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Compatibilty between mixed kerberos release (KDC 1.12 client 1.10).

Todd Grayson
In reply to this post by Benjamin Kaduk-2
Interesting, I'll take a look, thanks!

On Wed, Jul 29, 2015 at 8:12 PM, Benjamin Kaduk <[hidden email]> wrote:

> On Wed, 29 Jul 2015, Ken Hornstein wrote:
>
> > >Is there any general wisdom out there about mixed KDC/Client versions?
> Are
> > >there concerns around allowing environments drift to where a KDC would
> be
> > >on a later release than the clients?
> >
> > FWIW, we run a whole bunch of crazy versions of Kerberos, and generally
> > there is not an interoperability problem; the protocol is pretty well
> > specified and in general everything works fine at that level.
>
> Yes; it is expected that any implementation of the kerberos protocol can
> successfully talk to a peer running a different implementation, including
> the case where the peers differ only by software version and have a common
> lineage.
>
> > >There seems to be a change in default behavior in the 1.12+ where
> renewable
> > >tickets must be specifically requested (RHEL 7 is including the 1.12 as
> the
> > >tested krb release in platform).
> >
> > This is more of a problem, but I don't consider this an interoperability
> > issue.
>
> That sort-of calls to mind
>
> https://github.com/krb5/krb5/commit/4f551a7ec126c52ee1f8fea4c3954015b70987bd
> ,
> and makes me wonder what the actual lifetimes in the request are (and the
> max permitted by the KDC).
>
> -Ben
> ________________________________________________
> Kerberos mailing list           [hidden email]
> https://mailman.mit.edu/mailman/listinfo/kerberos
>



--
Todd Grayson
Customer Operations Engineering
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

certificate revocation checking in pkinit in KDC

Jim Shi
HI,
 Is it possible to check if a certificate is revoked against a URL  in MIT KDC?

I looked at the  KDC code. It seems using a static file, not a web URL?


Thanks
Jim



________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: certificate revocation checking in pkinit in KDC

Ken Hornstein
>Is it possible to check if a certificate is revoked against a URL  in MIT KDC?

Currently the answer is 'no' with the MIT implementation.  We have code
here at NRL which does that (I'm assuming you mean checking using OCSP),
and it's pretty straightforward.  It's on my medium term to-do list to
contribute that code to MIT for inclusion their pkinit plugin, but sadly
I've been busy with other things.

--Ken

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Compatibilty between mixed kerberos release (KDC 1.12 client 1.10).

John Devitofranceschi
In reply to this post by Todd Grayson

> On Jul 29, 2015, at 5:46 PM, Todd Grayson <[hidden email]> wrote:
>
> Hi,
>
> Is there any general wisdom out there about mixed KDC/Client versions?  Are
> there concerns around allowing environments drift to where a KDC would be
> on a later release than the clients?
>

There was this one:

http://krbdev.mit.edu/rt/Ticket/Display.html?id=7714

That concerns an issue with older Solaris clients using MIT KDCs >= 1.11

Greg helped me come up with a patch for this that works with 1.13, but the real answer is to patch your old Solaris systems!

jd

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Compatibilty between mixed kerberos release (KDC 1.12 client 1.10).

Todd Grayson
Ah good to know about, thanks!

On Mon, Aug 3, 2015 at 5:18 AM, John Devitofranceschi <[hidden email]>
wrote:

>
> > On Jul 29, 2015, at 5:46 PM, Todd Grayson <[hidden email]> wrote:
> >
> > Hi,
> >
> > Is there any general wisdom out there about mixed KDC/Client versions?
> Are
> > there concerns around allowing environments drift to where a KDC would be
> > on a later release than the clients?
> >
>
> There was this one:
>
> http://krbdev.mit.edu/rt/Ticket/Display.html?id=7714
>
> That concerns an issue with older Solaris clients using MIT KDCs >= 1.11
>
> Greg helped me come up with a patch for this that works with 1.13, but the
> real answer is to patch your old Solaris systems!
>
> jd
>
>


--
Todd Grayson
Customer Operations Engineering
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos