On Tue, May 05, 2015 at 09:14:52PM -0700, Nathan Peters wrote:
> >From this link  :
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/active-directory-trust.html#comp-trust-krb
> 
> The diagram in that section shows the client communicating with FreeIPA and
> FreeIPA contacting AD.
> 
> So why are you saying the client authenticates with the AD DC directly?

If you want to look up user data like e.g. the UID  or the home
directory the IPA client will talk to the IPA server exclusively, if the
server does not know about the requested AD user it will try to get this
information from a AD DC.

For authentication this is different, because only the AD DC should know
the password of the user. Hence authentication ans password changes as
well are done directly with the AD DC.

> 
> Also this page here :
> https://www.freeipa.org/page/Active_Directory_trust_setup
> 
> does not list having to add the AD domain in the krb5.conf.  Is that not
> necessary in the example because they are not using a different UPN for
> their users like we are?

yes, it is because of the UPN in your case. As I said before this
special entry in krb5.conf would not be needed anymore if the IPA KDC
supports the Kerberos client referrals for the trusted domains. Adding
the entry to krb5.conf in only a work-around here.

bye,
Sumit

> 
> -----Original Message----- From: Jakub Hrozek
> Sent: Tuesday, May 05, 2015 8:43 PM
> To: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] Cannot find KDC for realm "MYDOMAIN.NET" - AD
> trust and UPN issues
> 
> On Tue, May 05, 2015 at 02:21:40PM -0700, nat...@nathanpeters.com wrote:
> >I'm a little confused by that.
> >
> >If I add the AD dc, will my client try to contact AD directly to get a
> >ticket?
> >
> >Doesn't it have to do get the ticket through FreeIPA by proxy somehow?
> 
> No, authentication is always performed against an AD DC directly.
> 
> >
> >And to confirm what you meant by add the AD dc and realm, it would be like
> >this ?
> >
> >SUB.ADDOMAIN.NET = {
> > kdc = dc1.addomain.net:88
> >}
> >
> >I don't need the master_kdc, admin_server, default_domain entries?
> 
> With a recent version of libkrb5 I don't think you need to set
> master_kdc, libkrb5 should be able to follow referrals itself.
> admin_servre, if unset, defaults to KDC. default_domain doesn't need to
> be set either.
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to