Re: [Freeipa-users] IPA KDC Proxy

Fri, 22 Jan 2016 06:03:54 -0800 

On Fri, 22 Jan 2016, Christian Heimes wrote:

On 2016-01-22 11:57, Alexander Bokovoy wrote:

----- Original Message -----

Hi all,

I configured an IPA client using de FreeIPA 4.2 KDC Proxy something like
this:

~
dns_lookup_realm = false
dns_lookup_kdc = false
~
[realms]
LINUX.EXAMPLE.COM = {
pkinit_anchors = FILE:/etc/ipa/ca.crt
http_anchors = FILE:/etc/ipa/ca.crt
kdc = https://ipa1.linux.example.com/KdcProxy
kpasswd_server = https://ipa1.linux.example.com/KdcProxy
}

Now, this seems to work well, I blocked port 88 towards als KDC's, used some
tcpdump and yes: only port 443 towards the IPA server is being used and
kinit will give me a TGT.

However, I do have a trust to a Windows AD-server. I would expect something
like this:

ipa-client cannot access the windows AD server
ipa-server however can
ipa-client will use ipa-server as a KDC proxy and will get a TGT through the
IPA KDC-proxy

Now, of course kinit winu...@windows.example.com will give:

[root@ipa-client7 etc]# kinit winu...@windows.example.com
kinit: Cannot find KDC for realm "WINDOWS.EXAMPLE.COM" while getting initial
credentials

Adding something like this to krb5.conf won't work, still the same error
message:

WINDOWS.BLABLA.BLA = {
pkinit_anchors = FILE:/etc/ipa/ca.crt
http_anchors = FILE:/etc/ipa/ca.crt
kdc = https://ipa1.linux.example.com/KdcProxy
kpasswd_server = https://ipa1.linux.example.com/KdcProxy
}


Now, is it possible to use the IPA-server as a proxy for the trusted Windows
Domain? How...?

You need to have WINDOWS.EXAMPLE.COM definition on the IPA client that points 
to the KDC proxy
_and_ WINDOWS.EXAMPLE.COM on IPA master should point to AD DCs.

The latter one should not use proxy but rather specify KDCs properly. 
Alternatively you should have
 dns_lookup_kdc = true


For FreeIPA python-kdcproxy has DNS lookup disabled. It only reads
config items from /etc/krb5.conf.

# cat /etc/ipa/kdcproxy/kdcproxy.conf
[global]
configs = mit
use_dns = false

Yes, either explicitly define realms that should be accessible via KDC
Proxy or enable use of DNS discovery.

The latter might be needed if there are multiple domains in AD forests
and AD DCs change over time.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to