<html>
  <head>

    <meta http-equiv="content-type" content="text/html; charset=utf-8">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <font face="Carlito">Hi all,<br>
      <br>
      I configured an IPA client using de FreeIPA 4.2 KDC Proxy
      something like this:<br>
      <br>
      ~<br>
       dns_lookup_realm = false<br>
       dns_lookup_kdc = false<br>
      ~<br>
      [realms]<br>
       LINUX.EXAMPLE.COM = {<br>
        pkinit_anchors = <a class="moz-txt-link-freetext" href="FILE:/etc/ipa/ca.crt">FILE:/etc/ipa/ca.crt</a><br>
        http_anchors = <a class="moz-txt-link-freetext" href="FILE:/etc/ipa/ca.crt">FILE:/etc/ipa/ca.crt</a><br>
        kdc = <a class="moz-txt-link-freetext" href="https://ipa1.linux.example.com/KdcProxy">https://ipa1.linux.example.com/KdcProxy</a><br>
        kpasswd_server = <a class="moz-txt-link-freetext" href="https://ipa1.linux.example.com/KdcProxy">https://ipa1.linux.example.com/KdcProxy</a><br>
       }<br>
      <br>
      Now, this seems to work well, I blocked port 88 towards als KDC's,
      used some tcpdump and yes: only port 443 towards the IPA server is
      being used and kinit will give me a TGT.<br>
      <br>
      However, I do have a trust to a Windows AD-server. I would expect
      something like this:<br>
      <br>
      ipa-client cannot access the windows AD server<br>
      ipa-server however can<br>
      ipa-client will use ipa-server as a KDC proxy and will get a TGT
      through the IPA KDC-proxy<br>
      <br>
      Now, of course kinit <a class="moz-txt-link-abbreviated" href="mailto:winuser@WINDOWS.EXAMPLE.COM">winuser@WINDOWS.EXAMPLE.COM</a> will give:<br>
      <br>
      [root@ipa-client7 etc]# kinit <a class="moz-txt-link-abbreviated" href="mailto:winuser@WINDOWS.EXAMPLE.COM">winuser@WINDOWS.EXAMPLE.COM</a><br>
      kinit: Cannot find KDC for realm "WINDOWS.EXAMPLE.COM" while
      getting initial credentials<br>
      <br>
      Adding something like this to krb5.conf won't work, still the same
      error message:<br>
      <br>
       WINDOWS.BLABLA.BLA = {<br>
        pkinit_anchors = <a class="moz-txt-link-freetext" href="FILE:/etc/ipa/ca.crt">FILE:/etc/ipa/ca.crt</a><br>
        http_anchors = <a class="moz-txt-link-freetext" href="FILE:/etc/ipa/ca.crt">FILE:/etc/ipa/ca.crt</a><br>
        kdc = <a class="moz-txt-link-freetext" href="https://ipa1.linux.example.com/KdcProxy">https://ipa1.linux.example.com/KdcProxy</a><br>
        kpasswd_server = <a class="moz-txt-link-freetext" href="https://ipa1.linux.example.com/KdcProxy">https://ipa1.linux.example.com/KdcProxy</a><br>
       }<br>
      <br>
      <br>
      Now, is it possible to use the IPA-server as a proxy for the
      trusted Windows Domain? How...?<br>
      <br>
      <br>
      Kind regards,<br>
      <br>
      Winny<br>
    </font>
  </body>
</html>