<html> <head> <meta content="text/html; charset=windows-1252" http-equiv="Content-Type"> </head> <body bgcolor="#FFFFFF" text="#000000"> Great, Changing /etc/ipa/kdcproxy/kdcproxy.conf [global] configs = mit use_dns = false to # cat /etc/ipa/kdcproxy/kdcproxy.conf [global] configs = mit use_dns = true along with adding the windows realm to krb5.conf on the clients did the trick; I am able to obtain aan AD TGT ticket by using the KDC proxy Is there a special reason why "use_dns = false" was used in kdcproxy.conf? Will this work on CentosOS /RHEL 6 as well? Winny <div class="moz-cite-prefix">Op 22-01-16 om 12:05 schreef Christian Heimes: </div> <blockquote cite="mid:56A20D14.8050800@redhat.com" type="cite"> <pre wrap="">On 2016-01-22 11:57, Alexander Bokovoy wrote: </pre> <blockquote type="cite"> <pre wrap="">----- Original Message ----- </pre> <blockquote type="cite"> <pre wrap="">Hi all, I configured an IPA client using de FreeIPA 4.2 KDC Proxy something like this: ~ dns_lookup_realm = false dns_lookup_kdc = false ~ [realms] LINUX.EXAMPLE.COM = { pkinit_anchors = <a class="moz-txt-link-freetext" href="FILE:/etc/ipa/ca.crt">FILE:/etc/ipa/ca.crt</a> http_anchors = <a class="moz-txt-link-freetext" href="FILE:/etc/ipa/ca.crt">FILE:/etc/ipa/ca.crt</a> kdc = <a class="moz-txt-link-freetext" href="https://ipa1.linux.example.com/KdcProxy">https://ipa1.linux.example.com/KdcProxy</a> kpasswd_server = <a class="moz-txt-link-freetext" href="https://ipa1.linux.example.com/KdcProxy">https://ipa1.linux.example.com/KdcProxy</a> } Now, this seems to work well, I blocked port 88 towards als KDC's, used some tcpdump and yes: only port 443 towards the IPA server is being used and kinit will give me a TGT. However, I do have a trust to a Windows AD-server. I would expect something like this: ipa-client cannot access the windows AD server ipa-server however can ipa-client will use ipa-server as a KDC proxy and will get a TGT through the IPA KDC-proxy Now, of course kinit <a class="moz-txt-link-abbreviated" href="mailto:winuser@WINDOWS.EXAMPLE.COM">winuser@WINDOWS.EXAMPLE.COM</a> will give: [root@ipa-client7 etc]# kinit <a class="moz-txt-link-abbreviated" href="mailto:winuser@WINDOWS.EXAMPLE.COM">winuser@WINDOWS.EXAMPLE.COM</a> kinit: Cannot find KDC for realm "WINDOWS.EXAMPLE.COM" while getting initial credentials Adding something like this to krb5.conf won't work, still the same error message: WINDOWS.BLABLA.BLA = { pkinit_anchors = <a class="moz-txt-link-freetext" href="FILE:/etc/ipa/ca.crt">FILE:/etc/ipa/ca.crt</a> http_anchors = <a class="moz-txt-link-freetext" href="FILE:/etc/ipa/ca.crt">FILE:/etc/ipa/ca.crt</a> kdc = <a class="moz-txt-link-freetext" href="https://ipa1.linux.example.com/KdcProxy">https://ipa1.linux.example.com/KdcProxy</a> kpasswd_server = <a class="moz-txt-link-freetext" href="https://ipa1.linux.example.com/KdcProxy">https://ipa1.linux.example.com/KdcProxy</a> } Now, is it possible to use the IPA-server as a proxy for the trusted Windows Domain? How...? </pre> </blockquote> <pre wrap="">You need to have WINDOWS.EXAMPLE.COM definition on the IPA client that points to the KDC proxy _and_ WINDOWS.EXAMPLE.COM on IPA master should point to AD DCs. The latter one should not use proxy but rather specify KDCs properly. Alternatively you should have dns_lookup_kdc = true </pre> </blockquote> <pre wrap=""> For FreeIPA python-kdcproxy has DNS lookup disabled. It only reads config items from /etc/krb5.conf. # cat /etc/ipa/kdcproxy/kdcproxy.conf [global] configs = mit use_dns = false Christian </pre> </blockquote> </body> </html>