Hi all,

I configured an IPA client using de FreeIPA 4.2 KDC Proxy something like this:

~
 dns_lookup_realm = false
 dns_lookup_kdc = false
~
[realms]
 LINUX.EXAMPLE.COM = {
  pkinit_anchors = FILE:/etc/ipa/ca.crt
  http_anchors = FILE:/etc/ipa/ca.crt
  kdc = https://ipa1.linux.example.com/KdcProxy
  kpasswd_server = https://ipa1.linux.example.com/KdcProxy
 }

Now, this seems to work well, I blocked port 88 towards als KDC's, used some tcpdump and yes: only port 443 towards the IPA server is being used and kinit will give me a TGT.

However, I do have a trust to a Windows AD-server. I would expect something like this:

ipa-client cannot access the windows AD server
ipa-server however can
ipa-client will use ipa-server as a KDC proxy and will get a TGT through the IPA KDC-proxy

Now, of course kinit winu...@windows.example.com will give:

[root@ipa-client7 etc]# kinit winu...@windows.example.com
kinit: Cannot find KDC for realm "WINDOWS.EXAMPLE.COM" while getting initial credentials

Adding something like this to krb5.conf won't work, still the same error message:

 WINDOWS.BLABLA.BLA = {
  pkinit_anchors = FILE:/etc/ipa/ca.crt
  http_anchors = FILE:/etc/ipa/ca.crt
  kdc = https://ipa1.linux.example.com/KdcProxy
  kpasswd_server = https://ipa1.linux.example.com/KdcProxy
 }


Now, is it possible to use the IPA-server as a proxy for the trusted Windows Domain? How...?


Kind regards,

Winny
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to