ipa-client-install: unilaterally set dns_lookup_kdc to True

Previously, dns_lookup_kdc was only set to True if DNS discovery worked or if the KDC was not specified on the command-line. Setting dns_lookup_kdc to False would result in a hardcoded configuration which is less reliable in the long run. For instance, adding a trust to an Active Directory forest after clients are enrolled would result in clients not being able to authenticate AD users. Recycling FreeIPA servers could prove problematic if the original hostnames are not reused too. Change summary: Always set dns_lookup_kdc to True on client enrollment. With this change, DNS SRV search will always be performed before looking into /etc/krb5.conf realm entries. Fixes: https://pagure.io/freeipa/issue/6523 Signed-off-by: François Cami <fcami@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2025-01-26 16:16:31 -06:00 · 2020-12-15 09:50:57 +01:00 · 2020-12-15 09:50:57 +01:00 · e7827a6f0c
commit e7827a6f0c
parent 18a1e7ee5c
1 changed files with 1 additions and 2 deletions
--- a/ipaclient/install/client.py
+++ b/ipaclient/install/client.py
@ -693,16 +693,15 @@ def configure_krb5_conf(
    if not dnsok or not cli_kdc or force:
        libopts.extend([
            krbconf.setOption('dns_lookup_realm', 'false'),
-            krbconf.setOption('dns_lookup_kdc', 'false')
        ])
    else:
        libopts.extend([
            krbconf.setOption('dns_lookup_realm', 'true'),
-            krbconf.setOption('dns_lookup_kdc', 'true')
        ])
    libopts.extend([
        krbconf.setOption('rdns', 'false'),
        krbconf.setOption('dns_canonicalize_hostname', 'false'),
+        krbconf.setOption('dns_lookup_kdc', 'true'),
        krbconf.setOption('ticket_lifetime', '24h'),
        krbconf.setOption('forwardable', 'true'),
        krbconf.setOption('udp_preference_limit', '0')