[Freeipa-users] IPA KDC Proxy

[Alexander Bokovoy]

----- Original Message -----
> Hi all,
> 
> I configured an IPA client using de FreeIPA 4.2 KDC Proxy something like
> this:
> 
> ~
> dns_lookup_realm = false
> dns_lookup_kdc = false
> ~
> [realms]
> LINUX.EXAMPLE.COM = {
> pkinit_anchors = FILE:/etc/ipa/ca.crt
> http_anchors = FILE:/etc/ipa/ca.crt
> kdc = https://ipa1.linux.example.com/KdcProxy
> kpasswd_server = https://ipa1.linux.example.com/KdcProxy
> }
> 
> Now, this seems to work well, I blocked port 88 towards als KDC's, used some
> tcpdump and yes: only port 443 towards the IPA server is being used and
> kinit will give me a TGT.
> 
> However, I do have a trust to a Windows AD-server. I would expect something
> like this:
> 
> ipa-client cannot access the windows AD server
> ipa-server however can
> ipa-client will use ipa-server as a KDC proxy and will get a TGT through the
> IPA KDC-proxy
> 
> Now, of course kinit winuser at WINDOWS.EXAMPLE.COM will give:
> 
> [root at ipa-client7 etc]# kinit winuser at WINDOWS.EXAMPLE.COM
> kinit: Cannot find KDC for realm "WINDOWS.EXAMPLE.COM" while getting initial
> credentials
> 
> Adding something like this to krb5.conf won't work, still the same error
> message:
> 
> WINDOWS.BLABLA.BLA = {
> pkinit_anchors = FILE:/etc/ipa/ca.crt
> http_anchors = FILE:/etc/ipa/ca.crt
> kdc = https://ipa1.linux.example.com/KdcProxy
> kpasswd_server = https://ipa1.linux.example.com/KdcProxy
> }
> 
> 
> Now, is it possible to use the IPA-server as a proxy for the trusted Windows
> Domain? How...?
You need to have WINDOWS.EXAMPLE.COM definition on the IPA client that points to the KDC proxy
_and_ WINDOWS.EXAMPLE.COM on IPA master should point to AD DCs.

The latter one should not use proxy but rather specify KDCs properly. Alternatively you should have 
 dns_lookup_kdc = true 

-- 
/ Alexander Bokovoy