[Freeipa-devel] kinit: Cannot contact any KDC for realm... from Freeipa clinet (Active Directory trust setup)

Sumit Bose sbose at redhat.com
Mon Oct 10 07:55:55 UTC 2016 

On Mon, Oct 10, 2016 at 09:43:24AM +0200, rajat gupta wrote:
> https://access.redhat.com/documentation/en-US/Red_Hat_
> Enterprise_Linux/7/html/Windows_Integration_Guide/
> trust-requirements.html#trust-req-ports
> 
> these port are required for trust. Is port 88 required to open from ipa
> client to AD?

Yes, in general the clients need to talk directly to the AD DC because
you do not want a man-in-the-middle during authentication.

For special environments it is possible to setup a KDC proxy, see
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/Configuring_a_Kerberos_5_Server.html#KKDCP
for details.

HTH

bye,
Sumit

> 
> 
> On Mon, Oct 10, 2016 at 5:23 AM, rajat gupta <rajat.linux at gmail.com> wrote:
> 
> > Hi,
> >
> > I am trying to setup the freeipa  Active Directory trust setup and i am
> > following
> > the http://www.freeipa.org/page/Active_Directory_trust_setup
> > documentation.
> >
> > I am able to login on freeipa Server with AD users.
> >
> > But when i am trying to login with some other IPA client machine I am not
> > able to to login with AD user.
> >
> > Required firewall port is opened between freeipa server to AD server and
> > freeipa server to freeipa clinets
> >
> > There is no firewall port is opened between from  freeipa client to AD
> > server.
> >
> > =================================================================
> > against addomain from ipaserver :-
> >
> > ipa01 ~]# KRB5_TRACE=/dev/stdout kinit rajat.g at AD.ADDOMAIN.COM
> > [24633] 1476069033.462976: Resolving unique ccache of type KEYRING
> > [24633] 1476069033.463027: Getting initial credentials for
> > rajat.g at AD.ADDOMAIN.COM
> > [24633] 1476069033.465229: Sending request (183 bytes) to AD.ADDOMAIN.COM
> > [24633] 1476069033.471891: Resolving hostname ad1.ad.addomain.com
> > [24633] 1476069033.474439: Sending initial UDP request to dgram
> > 192.168.20.100:88
> > [24633] 1476069033.487765: Received answer (212 bytes) from dgram
> > 192.168.20.100:88
> > [24633] 1476069033.488098: Response was not from master KDC
> > [24633] 1476069033.488136: Received error from KDC: -1765328359/Additional
> > pre-authentication required
> > [24633] 1476069033.488179: Processing preauth types: 16, 15, 19, 2
> > [24633] 1476069033.488192: Selected etype info: etype aes256-cts, salt
> > "AD.ADDOMAIN.COMRajat.Gupta", params ""
> > [24633] 1476069033.488215: PKINIT client has no configured identity;
> > giving up
> > [24633] 1476069033.488233: PKINIT client has no configured identity;
> > giving up
> > [24633] 1476069033.488242: Preauth module pkinit (16) (real) returned:
> > 22/Invalid argument
> > [24633] 1476069033.488250: PKINIT client has no configured identity;
> > giving up
> > [24633] 1476069033.488255: Preauth module pkinit (14) (real) returned:
> > 22/Invalid argument
> > Password for rajat.g at AD.ADDOMAIN.COM:
> >
> > this is working fine.
> > =================================================================
> >
> >
> > =================================================================
> > against addomain from ipaclinet :-
> >
> > *ipaclinet ~] #  KRB5_TRACE=/dev/stdout kinit  rajat.g at AD.ADDOMAIN.COM
> > <rajat.g at AD.ADDOMAIN.COM>[4133] 1476067599.43421: Getting initial
> > credentials for rajat.g at AD.ADDOMAIN.COM <http://AD.ADDOMAIN.COM>[4133]
> > 1476067599.43599: Sending request (183 bytes) to AD.ADDOMAIN.COM
> > <http://AD.ADDOMAIN.COM>*
> > *[4133] 1476067599.49544: Resolving hostname *
> > *ad1.ad.addomain.com <http://ad1.ad.addomain.com>.*
> > *[4133] 1476067599.53762: Sending initial UDP request to dgram
> > 192.168.20.100*
> >
> > NOT WORKING
> > =================================================================
> >
> > =================================================================
> > against ipdomain from ipaclinet
> >
> > # KRB5_TRACE=/dev/stdout kinit  admin at IPA.IPASERVER.LOCAL
> > [4914] 1476068067.763574: Getting initial credentials for
> > admin at IPA.IPASERVER.LOCAL
> > [4914] 1476068067.763889: Sending request (177 bytes) to
> > IPA.IPASERVER.LOCAL
> > [4914] 1476068067.764033: Initiating TCP connection to stream
> > 10.246.104.14:88
> > [4914] 1476068067.765089: Sending TCP request to stream 192.168.100.100:88
> > [4914] 1476068067.767593: Received answer (356 bytes) from stream
> > 192.168.100.100:88
> > [4914] 1476068067.767603: Terminating TCP connection to stream
> > 192.168.100.100:88
> > [4914] 1476068067.767661: Response was from master KDC
> > [4914] 1476068067.767685: Received error from KDC: -1765328359/Additional
> > pre-authentication required
> > [4914] 1476068067.767730: Processing preauth types: 136, 19, 2, 133
> > [4914] 1476068067.767742: Selected etype info: etype aes256-cts, salt
> > "k},(k&+qA)Mosf6z", params ""
> > [4914] 1476068067.767747: Received cookie: MIT
> > Password for admin at IPA.IPASERVER.LOCAL:
> >
> > this is working fine.
> > =================================================================
> >
> >
> > it looks for password-based authentication requests, the IPA clients
> > connect directly to the AD servers using Kerberos.
> >
> > then there is port firewall opening required  between ipaclinet and AD
> > Server as well. Is it required ? OR I am doing something wrong.
> >
> > /Rajat
> >
> >
> >
> >
> >
> >
> >
> >
> > --
> >
> > *Rajat Gupta *
> >
> 
> 
> 
> -- 
> 
> *Rajat Gupta *

> -- 
> Manage your subscription for the Freeipa-devel mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-devel
> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

More information about the Freeipa-devel mailing list