On Mon, Oct 10, 2016 at 09:43:24AM +0200, rajat gupta wrote: > https://access.redhat.com/documentation/en-US/Red_Hat_ > Enterprise_Linux/7/html/Windows_Integration_Guide/ > trust-requirements.html#trust-req-ports > > these port are required for trust. Is port 88 required to open from ipa > client to AD?
Yes, in general the clients need to talk directly to the AD DC because you do not want a man-in-the-middle during authentication. For special environments it is possible to setup a KDC proxy, see https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/Configuring_a_Kerberos_5_Server.html#KKDCP for details. HTH bye, Sumit > > > On Mon, Oct 10, 2016 at 5:23 AM, rajat gupta <rajat.li...@gmail.com> wrote: > > > Hi, > > > > I am trying to setup the freeipa Active Directory trust setup and i am > > following > > the http://www.freeipa.org/page/Active_Directory_trust_setup > > documentation. > > > > I am able to login on freeipa Server with AD users. > > > > But when i am trying to login with some other IPA client machine I am not > > able to to login with AD user. > > > > Required firewall port is opened between freeipa server to AD server and > > freeipa server to freeipa clinets > > > > There is no firewall port is opened between from freeipa client to AD > > server. > > > > ================================================================= > > against addomain from ipaserver :- > > > > ipa01 ~]# KRB5_TRACE=/dev/stdout kinit raja...@ad.addomain.com > > [24633] 1476069033.462976: Resolving unique ccache of type KEYRING > > [24633] 1476069033.463027: Getting initial credentials for > > raja...@ad.addomain.com > > [24633] 1476069033.465229: Sending request (183 bytes) to AD.ADDOMAIN.COM > > [24633] 1476069033.471891: Resolving hostname ad1.ad.addomain.com > > [24633] 1476069033.474439: Sending initial UDP request to dgram > > 192.168.20.100:88 > > [24633] 1476069033.487765: Received answer (212 bytes) from dgram > > 192.168.20.100:88 > > [24633] 1476069033.488098: Response was not from master KDC > > [24633] 1476069033.488136: Received error from KDC: -1765328359/Additional > > pre-authentication required > > [24633] 1476069033.488179: Processing preauth types: 16, 15, 19, 2 > > [24633] 1476069033.488192: Selected etype info: etype aes256-cts, salt > > "AD.ADDOMAIN.COMRajat.Gupta", params "" > > [24633] 1476069033.488215: PKINIT client has no configured identity; > > giving up > > [24633] 1476069033.488233: PKINIT client has no configured identity; > > giving up > > [24633] 1476069033.488242: Preauth module pkinit (16) (real) returned: > > 22/Invalid argument > > [24633] 1476069033.488250: PKINIT client has no configured identity; > > giving up > > [24633] 1476069033.488255: Preauth module pkinit (14) (real) returned: > > 22/Invalid argument > > Password for raja...@ad.addomain.com: > > > > this is working fine. > > ================================================================= > > > > > > ================================================================= > > against addomain from ipaclinet :- > > > > *ipaclinet ~] # KRB5_TRACE=/dev/stdout kinit raja...@ad.addomain.com > > <raja...@ad.addomain.com>[4133] 1476067599.43421: Getting initial > > credentials for raja...@ad.addomain.com <http://AD.ADDOMAIN.COM>[4133] > > 1476067599.43599: Sending request (183 bytes) to AD.ADDOMAIN.COM > > <http://AD.ADDOMAIN.COM>* > > *[4133] 1476067599.49544: Resolving hostname * > > *ad1.ad.addomain.com <http://ad1.ad.addomain.com>.* > > *[4133] 1476067599.53762: Sending initial UDP request to dgram > > 192.168.20.100* > > > > NOT WORKING > > ================================================================= > > > > ================================================================= > > against ipdomain from ipaclinet > > > > # KRB5_TRACE=/dev/stdout kinit admin@IPA.IPASERVER.LOCAL > > [4914] 1476068067.763574: Getting initial credentials for > > admin@IPA.IPASERVER.LOCAL > > [4914] 1476068067.763889: Sending request (177 bytes) to > > IPA.IPASERVER.LOCAL > > [4914] 1476068067.764033: Initiating TCP connection to stream > > 10.246.104.14:88 > > [4914] 1476068067.765089: Sending TCP request to stream 192.168.100.100:88 > > [4914] 1476068067.767593: Received answer (356 bytes) from stream > > 192.168.100.100:88 > > [4914] 1476068067.767603: Terminating TCP connection to stream > > 192.168.100.100:88 > > [4914] 1476068067.767661: Response was from master KDC > > [4914] 1476068067.767685: Received error from KDC: -1765328359/Additional > > pre-authentication required > > [4914] 1476068067.767730: Processing preauth types: 136, 19, 2, 133 > > [4914] 1476068067.767742: Selected etype info: etype aes256-cts, salt > > "k},(k&+qA)Mosf6z", params "" > > [4914] 1476068067.767747: Received cookie: MIT > > Password for admin@IPA.IPASERVER.LOCAL: > > > > this is working fine. > > ================================================================= > > > > > > it looks for password-based authentication requests, the IPA clients > > connect directly to the AD servers using Kerberos. > > > > then there is port firewall opening required between ipaclinet and AD > > Server as well. Is it required ? OR I am doing something wrong. > > > > /Rajat > > > > > > > > > > > > > > > > > > -- > > > > *Rajat Gupta * > > > > > > -- > > *Rajat Gupta * > -- > Manage your subscription for the Freeipa-devel mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-devel > Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code