[Freeipa-users] freeipa client in DMZ
Andy Thompson
Andy.Thompson at e-tcc.com
Tue Feb 2 14:51:55 UTC 2016
> -----Original Message-----
> From: Baird, Josh [mailto:jbaird at follett.com]
> Sent: Tuesday, February 2, 2016 9:13 AM
> To: Andy Thompson <Andy.Thompson at e-tcc.com>; freeipa-
> users at redhat.com
> Subject: RE: freeipa client in DMZ
>
> I believe the sssd clients will need to communicate directly with your AD
> domain controllers, unfortunately. I wish there was a clean way around this,
> since we have a ton of DC's in our HUB site, and I don't really want to poke
> holes in the firewall(s) for all of them.
>
> Would someone from sssd/IPA mind chiming in here? What exactly needs to
> be open? What DNS record can we query to get the exact list of DC's that
> need to be available? Is there a way to restrict the list of domain controllers
> that certain sssd clients need to communicate with (for scenarios like this)?
>
> Thanks,
>
> Josh
>
> > -----Original Message-----
> > From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-
> > bounces at redhat.com] On Behalf Of Andy Thompson
> > Sent: Tuesday, February 02, 2016 9:04 AM
> > To: freeipa-users at redhat.com
> > Subject: [Freeipa-users] freeipa client in DMZ
> >
> > Are ports required to be open for a freeipa client in a DMZ to the AD
> > DCs for trusted users to login? I've got everything open to the IPA
> > servers required and can lookup users and sudo rules and such but
> > trusted users are not able to login.
> >
> > Thanks
> >
> > -andy
> >
> >
Going through my firewall logs it appears kerberos needs opened to the DCs at a minimum although I dropped 464 in there as well. Once I opened that up I was able to authenticate
I'm not much of an AD guy so I don't know if there is a way to limit the servers accessed within AD. In my environment I had to setup separate DNS servers for the AD domain due to the environment setup so I could control it that way by removing DC records from that DNS environment. My thought is that it relies on the _kerberos._tcp srv records
-andy
More information about the Freeipa-users
mailing list