[Freeipa-users] IPA KDC Proxy
Alexander Bokovoy
abokovoy at redhat.com
Fri Jan 22 10:57:18 UTC 2016
----- Original Message -----
> Hi all,
>
> I configured an IPA client using de FreeIPA 4.2 KDC Proxy something like
> this:
>
> ~
> dns_lookup_realm = false
> dns_lookup_kdc = false
> ~
> [realms]
> LINUX.EXAMPLE.COM = {
> pkinit_anchors = FILE:/etc/ipa/ca.crt
> http_anchors = FILE:/etc/ipa/ca.crt
> kdc = https://ipa1.linux.example.com/KdcProxy
> kpasswd_server = https://ipa1.linux.example.com/KdcProxy
> }
>
> Now, this seems to work well, I blocked port 88 towards als KDC's, used some
> tcpdump and yes: only port 443 towards the IPA server is being used and
> kinit will give me a TGT.
>
> However, I do have a trust to a Windows AD-server. I would expect something
> like this:
>
> ipa-client cannot access the windows AD server
> ipa-server however can
> ipa-client will use ipa-server as a KDC proxy and will get a TGT through the
> IPA KDC-proxy
>
> Now, of course kinit winuser at WINDOWS.EXAMPLE.COM will give:
>
> [root at ipa-client7 etc]# kinit winuser at WINDOWS.EXAMPLE.COM
> kinit: Cannot find KDC for realm "WINDOWS.EXAMPLE.COM" while getting initial
> credentials
>
> Adding something like this to krb5.conf won't work, still the same error
> message:
>
> WINDOWS.BLABLA.BLA = {
> pkinit_anchors = FILE:/etc/ipa/ca.crt
> http_anchors = FILE:/etc/ipa/ca.crt
> kdc = https://ipa1.linux.example.com/KdcProxy
> kpasswd_server = https://ipa1.linux.example.com/KdcProxy
> }
>
>
> Now, is it possible to use the IPA-server as a proxy for the trusted Windows
> Domain? How...?
You need to have WINDOWS.EXAMPLE.COM definition on the IPA client that points to the KDC proxy
_and_ WINDOWS.EXAMPLE.COM on IPA master should point to AD DCs.
The latter one should not use proxy but rather specify KDCs properly. Alternatively you should have
dns_lookup_kdc = true
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list