[Freeipa-users] freeipa client in DMZ

Sumit Bose sbose at redhat.com
Tue Feb 2 14:55:00 UTC 2016 

On Tue, Feb 02, 2016 at 02:12:58PM +0000, Baird, Josh wrote:
> I believe the sssd clients will need to communicate directly with your AD domain controllers, unfortunately.  I wish there was a clean way around this, since we have a ton of DC's in our HUB site, and I don't really want to poke holes in the firewall(s) for all of them.  
> 
> Would someone from sssd/IPA mind chiming in here?  What exactly needs to be open?  What DNS record can we query to get the exact list of DC's that need to be available?  Is there a way to restrict the list of domain controllers that certain sssd clients need to communicate with (for scenarios like this)?

The clients only need to communicate with AD during authentication and
only for password authentication. Since the authentication is Kerberos
based port 88 should be open and although typically it is sufficient for
Kerberos to use UDP in the AD case we need TCP as well because AD
Kerberos tickets are too large for UDP due to the PAC data in the
ticket. If you want to allow password changes you have to open port 749
as well.

For the trusted domain SSSD delegates everything including finding a
suitable KDC to libkrb5. If 'dns_lookup_kdc = true' and no realm
definition is available for the AD domain in /etc/krb5.conf libkrb5 will
do a SRV query for _kerberos._tcp.ad.domain (no sites or other AD
specific options).  If you want to restrict the AD servers the clients
want to talk and keep the holes in the firewall small I would suggest to
add the AD realms to /etc/krb5.conf which only contains the KDC the
clients should talk to.

HTH

bye,
Sumit

> 
> Thanks,
> 
> Josh
> 
> > -----Original Message-----
> > From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-
> > bounces at redhat.com] On Behalf Of Andy Thompson
> > Sent: Tuesday, February 02, 2016 9:04 AM
> > To: freeipa-users at redhat.com
> > Subject: [Freeipa-users] freeipa client in DMZ
> > 
> > Are ports required to be open for a freeipa client in a DMZ to the AD DCs for
> > trusted users to login?  I've got everything open to the IPA servers required
> > and can lookup users and sudo rules and such but trusted users are not able
> > to login.
> > 
> > Thanks
> > 
> > -andy
> > 
> > 
> > 
> > *** This communication may contain privileged and/or confidential
> > information. It is intended solely for the use of the addressee. If you are not
> > the intended recipient, you are strictly prohibited from disclosing, copying,
> > distributing or using any of this information. If you received this
> > communication in error, please contact the sender immediately and destroy
> > the material in its entirety, whether electronic or hard copy. ***
> > 
> > 
> > --
> > Manage your subscription for the Freeipa-users mailing list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > Go to http://freeipa.org for more info on the project
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

More information about the Freeipa-users mailing list