On Wed, 23 Sep 2015, Aly Khimji wrote:
Hey guys,

Quick question. Just running through a poc and ran into a question.

I have a simple AD DC (win2k8r2 box) with a trust setup to our IPA server.
Trust and all is setup properly and I can see users on the client/ipa
server and on the ipa server I can ssh into it with the AD user.

I am finding that users are unable to log into the "client nodes" and are
getting a "4: System Error" failure in the ssh log. When I dig into the
sssd in debug mode I can see its failing to find KDC for the "realm". Makes
sense so far. So I enable dns_lookup_kdc = true and now it is able to find
the realm and login is successful.

My question is, this "dns_lookup_kdc = true" required in any setup with
AD/IPA trust + ssh into IPA client with AD users?
Yes, in currently released versions you have to have that in the

I am wondering as there may be a use case where the AD server is in another
network and IPA clients won't have direct access to AD. I was wondering if
there is any model in which the client only ever talks to IPA server and
all the AD/Kerbos communication is handled via the IPA server and if so how
is this done?
Yes, there is a way to do so with FreeIPA 4.2, by using KDC proxy

You can enable KDC proxy on IPA master and make sure to set manually on
each client a 'kdc' property for each AD realm to point to
https://ipa.master/KDCProxy. Then on the IPA master itself have explicit
define in krb5.conf for AD realms pointing to proper AD DCs for 'kdc'
With this setup you would have all Kerberos traffic (same can be done
with kadmin protocol too, I think) redirected via IPA masters to AD DCs.

You need to have fairly recent MIT Kerberos library for that, though.
RHEL7 should be OK. I haven't checked latest MIT krb5 backports in
RHEL6, though.

I have read a bit and this looks as though what I am doing here is a
"legacy" setup. Just wondering if this is different in sssd 1.9 or if kdc =
True is always required.

I am not doing anything extra on the client other then the ipa-client
No manual adjustment of sssd.conf or krb5.conf. If I am missing something
please advise.
ipa-client-install sets 'dns_lookup_kdc = true' by default if your DNS
discovery of KDC was successful and no '--force' option was specified.

/ Alexander Bokovoy

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to