----- Original Message ----- > Hi all, > > I configured an IPA client using de FreeIPA 4.2 KDC Proxy something like > this: > > ~ > dns_lookup_realm = false > dns_lookup_kdc = false > ~ > [realms] > LINUX.EXAMPLE.COM = { > pkinit_anchors = FILE:/etc/ipa/ca.crt > http_anchors = FILE:/etc/ipa/ca.crt > kdc = https://ipa1.linux.example.com/KdcProxy > kpasswd_server = https://ipa1.linux.example.com/KdcProxy > } > > Now, this seems to work well, I blocked port 88 towards als KDC's, used some > tcpdump and yes: only port 443 towards the IPA server is being used and > kinit will give me a TGT. > > However, I do have a trust to a Windows AD-server. I would expect something > like this: > > ipa-client cannot access the windows AD server > ipa-server however can > ipa-client will use ipa-server as a KDC proxy and will get a TGT through the > IPA KDC-proxy > > Now, of course kinit winu...@windows.example.com will give: > > [root@ipa-client7 etc]# kinit winu...@windows.example.com > kinit: Cannot find KDC for realm "WINDOWS.EXAMPLE.COM" while getting initial > credentials > > Adding something like this to krb5.conf won't work, still the same error > message: > > WINDOWS.BLABLA.BLA = { > pkinit_anchors = FILE:/etc/ipa/ca.crt > http_anchors = FILE:/etc/ipa/ca.crt > kdc = https://ipa1.linux.example.com/KdcProxy > kpasswd_server = https://ipa1.linux.example.com/KdcProxy > } > > > Now, is it possible to use the IPA-server as a proxy for the trusted Windows > Domain? How...? You need to have WINDOWS.EXAMPLE.COM definition on the IPA client that points to the KDC proxy _and_ WINDOWS.EXAMPLE.COM on IPA master should point to AD DCs.
The latter one should not use proxy but rather specify KDCs properly. Alternatively you should have dns_lookup_kdc = true -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project