[Freeipa-users] freeipa client in DMZ

[Andy Thompson]

> -----Original Message-----
> From: Baird, Josh [mailto:jbaird at follett.com]
> Sent: Tuesday, February 2, 2016 9:13 AM
> To: Andy Thompson <Andy.Thompson at e-tcc.com>; freeipa-
> users at redhat.com
> Subject: RE: freeipa client in DMZ
> 
> I believe the sssd clients will need to communicate directly with your AD
> domain controllers, unfortunately.  I wish there was a clean way around this,
> since we have a ton of DC's in our HUB site, and I don't really want to poke
> holes in the firewall(s) for all of them.
> 
> Would someone from sssd/IPA mind chiming in here?  What exactly needs to
> be open?  What DNS record can we query to get the exact list of DC's that
> need to be available?  Is there a way to restrict the list of domain controllers
> that certain sssd clients need to communicate with (for scenarios like this)?
> 
> Thanks,
> 
> Josh
> 
> > -----Original Message-----
> > From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-
> > bounces at redhat.com] On Behalf Of Andy Thompson
> > Sent: Tuesday, February 02, 2016 9:04 AM
> > To: freeipa-users at redhat.com
> > Subject: [Freeipa-users] freeipa client in DMZ
> >
> > Are ports required to be open for a freeipa client in a DMZ to the AD
> > DCs for trusted users to login?  I've got everything open to the IPA
> > servers required and can lookup users and sudo rules and such but
> > trusted users are not able to login.
> >
> > Thanks
> >
> > -andy
> >
> >

Going through my firewall logs it appears kerberos needs opened to the DCs at a minimum although I dropped 464 in there as well.  Once I opened that up I was able to authenticate

I'm not much of an AD guy so I don't know if there is a way to limit the servers accessed within AD.  In my environment I had to setup separate DNS servers for the AD domain due to the environment setup so I could control it that way by removing DC records from that DNS environment.  My thought is that it relies on the _kerberos._tcp srv records

-andy