[Freeipa-users] dns_lookup_kdc question
Aly Khimji
aly.khimji at gmail.com
Wed Sep 23 20:22:32 UTC 2015
Excellent,
Thank you for the quick response.
I will look further into your suggestions
Aly
On Wed, Sep 23, 2015 at 3:50 PM, Alexander Bokovoy <abokovoy at redhat.com>
wrote:
> On Wed, 23 Sep 2015, Aly Khimji wrote:
>
>> Hey guys,
>>
>> Quick question. Just running through a poc and ran into a question.
>>
>> I have a simple AD DC (win2k8r2 box) with a trust setup to our IPA server.
>> Trust and all is setup properly and I can see users on the client/ipa
>> server and on the ipa server I can ssh into it with the AD user.
>>
>> I am finding that users are unable to log into the "client nodes" and are
>> getting a "4: System Error" failure in the ssh log. When I dig into the
>> sssd in debug mode I can see its failing to find KDC for the "realm".
>> Makes
>> sense so far. So I enable dns_lookup_kdc = true and now it is able to find
>> the realm and login is successful.
>>
> Correct.
>
>
> My question is, this "dns_lookup_kdc = true" required in any setup with
>> AD/IPA trust + ssh into IPA client with AD users?
>>
> Yes, in currently released versions you have to have that in the
> krb5.conf.
>
> I am wondering as there may be a use case where the AD server is in another
>> network and IPA clients won't have direct access to AD. I was wondering if
>> there is any model in which the client only ever talks to IPA server and
>> all the AD/Kerbos communication is handled via the IPA server and if so
>> how
>> is this done?
>>
> Yes, there is a way to do so with FreeIPA 4.2, by using KDC proxy
> functionality.
>
> You can enable KDC proxy on IPA master and make sure to set manually on
> each client a 'kdc' property for each AD realm to point to
> https://ipa.master/KDCProxy. Then on the IPA master itself have explicit
> define in krb5.conf for AD realms pointing to proper AD DCs for 'kdc'
> property.
> With this setup you would have all Kerberos traffic (same can be done
> with kadmin protocol too, I think) redirected via IPA masters to AD DCs.
>
> You need to have fairly recent MIT Kerberos library for that, though.
> RHEL7 should be OK. I haven't checked latest MIT krb5 backports in
> RHEL6, though.
>
> I have read a bit and this looks as though what I am doing here is a
>> "legacy" setup. Just wondering if this is different in sssd 1.9 or if kdc
>> =
>> True is always required.
>>
>> I am not doing anything extra on the client other then the ipa-client
>> install.
>> No manual adjustment of sssd.conf or krb5.conf. If I am missing something
>> please advise.
>>
> ipa-client-install sets 'dns_lookup_kdc = true' by default if your DNS
> discovery of KDC was successful and no '--force' option was specified.
>
>
> --
> / Alexander Bokovoy
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150923/d6ec20f1/attachment.htm>
More information about the Freeipa-users
mailing list