[Freeipa-users] dns_lookup_kdc question
Alexander Bokovoy
abokovoy at redhat.com
Wed Sep 23 19:50:56 UTC 2015
On Wed, 23 Sep 2015, Aly Khimji wrote:
>Hey guys,
>
>Quick question. Just running through a poc and ran into a question.
>
>I have a simple AD DC (win2k8r2 box) with a trust setup to our IPA server.
>Trust and all is setup properly and I can see users on the client/ipa
>server and on the ipa server I can ssh into it with the AD user.
>
>I am finding that users are unable to log into the "client nodes" and are
>getting a "4: System Error" failure in the ssh log. When I dig into the
>sssd in debug mode I can see its failing to find KDC for the "realm". Makes
>sense so far. So I enable dns_lookup_kdc = true and now it is able to find
>the realm and login is successful.
Correct.
>My question is, this "dns_lookup_kdc = true" required in any setup with
>AD/IPA trust + ssh into IPA client with AD users?
Yes, in currently released versions you have to have that in the
krb5.conf.
>I am wondering as there may be a use case where the AD server is in another
>network and IPA clients won't have direct access to AD. I was wondering if
>there is any model in which the client only ever talks to IPA server and
>all the AD/Kerbos communication is handled via the IPA server and if so how
>is this done?
Yes, there is a way to do so with FreeIPA 4.2, by using KDC proxy
functionality.
You can enable KDC proxy on IPA master and make sure to set manually on
each client a 'kdc' property for each AD realm to point to
https://ipa.master/KDCProxy. Then on the IPA master itself have explicit
define in krb5.conf for AD realms pointing to proper AD DCs for 'kdc'
property.
With this setup you would have all Kerberos traffic (same can be done
with kadmin protocol too, I think) redirected via IPA masters to AD DCs.
You need to have fairly recent MIT Kerberos library for that, though.
RHEL7 should be OK. I haven't checked latest MIT krb5 backports in
RHEL6, though.
>I have read a bit and this looks as though what I am doing here is a
>"legacy" setup. Just wondering if this is different in sssd 1.9 or if kdc =
>True is always required.
>
>I am not doing anything extra on the client other then the ipa-client
>install.
>No manual adjustment of sssd.conf or krb5.conf. If I am missing something
>please advise.
ipa-client-install sets 'dns_lookup_kdc = true' by default if your DNS
discovery of KDC was successful and no '--force' option was specified.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list