Great,
Changing
/etc/ipa/kdcproxy/kdcproxy.conf
[global]
configs = mit
use_dns = false
to
# cat /etc/ipa/kdcproxy/kdcproxy.conf
[global]
configs = mit
use_dns = true
along with adding the windows realm to krb5.conf on the clients
did the trick; I am able to obtain aan AD TGT ticket by using the
KDC proxy
Is there a special reason why "use_dns = false" was used in
kdcproxy.conf?
Will this work on CentosOS /RHEL 6 as well?
Winny
Op 22-01-16 om 12:05 schreef Christian
Heimes:
On 2016-01-22 11:57, Alexander Bokovoy wrote:
----- Original Message -----
Hi all,
I configured an IPA client using de FreeIPA 4.2 KDC Proxy something like
this:
~
dns_lookup_realm = false
dns_lookup_kdc = false
~
[realms]
LINUX.EXAMPLE.COM = {
pkinit_anchors = FILE:/etc/ipa/ca.crt
http_anchors = FILE:/etc/ipa/ca.crt
kdc = https://ipa1.linux.example.com/KdcProxy
kpasswd_server = https://ipa1.linux.example.com/KdcProxy
}
Now, this seems to work well, I blocked port 88 towards als KDC's, used some
tcpdump and yes: only port 443 towards the IPA server is being used and
kinit will give me a TGT.
However, I do have a trust to a Windows AD-server. I would expect something
like this:
ipa-client cannot access the windows AD server
ipa-server however can
ipa-client will use ipa-server as a KDC proxy and will get a TGT through the
IPA KDC-proxy
Now, of course kinit winu...@windows.example.com will give:
[root@ipa-client7 etc]# kinit winu...@windows.example.com
kinit: Cannot find KDC for realm "WINDOWS.EXAMPLE.COM" while getting initial
credentials
Adding something like this to krb5.conf won't work, still the same error
message:
WINDOWS.BLABLA.BLA = {
pkinit_anchors = FILE:/etc/ipa/ca.crt
http_anchors = FILE:/etc/ipa/ca.crt
kdc = https://ipa1.linux.example.com/KdcProxy
kpasswd_server = https://ipa1.linux.example.com/KdcProxy
}
Now, is it possible to use the IPA-server as a proxy for the trusted Windows
Domain? How...?
You need to have WINDOWS.EXAMPLE.COM definition on the IPA client that points to the KDC proxy
_and_ WINDOWS.EXAMPLE.COM on IPA master should point to AD DCs.
The latter one should not use proxy but rather specify KDCs properly. Alternatively you should have
dns_lookup_kdc = true
For FreeIPA python-kdcproxy has DNS lookup disabled. It only reads
config items from /etc/krb5.conf.
# cat /etc/ipa/kdcproxy/kdcproxy.conf
[global]
configs = mit
use_dns = false
Christian
|
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
