On 2016-01-22 11:57, Alexander Bokovoy wrote:
> ----- Original Message -----
>> Hi all,
>>
>> I configured an IPA client using de FreeIPA 4.2 KDC Proxy something like
>> this:
>>
>> ~
>> dns_lookup_realm = false
>> dns_lookup_kdc = false
>> ~
>> [realms]
>> LINUX.EXAMPLE.COM = {
>> pkinit_anchors = FILE:/etc/ipa/ca.crt
>> http_anchors = FILE:/etc/ipa/ca.crt
>> kdc = https://ipa1.linux.example.com/KdcProxy
>> kpasswd_server = https://ipa1.linux.example.com/KdcProxy
>> }
>>
>> Now, this seems to work well, I blocked port 88 towards als KDC's, used some
>> tcpdump and yes: only port 443 towards the IPA server is being used and
>> kinit will give me a TGT.
>>
>> However, I do have a trust to a Windows AD-server. I would expect something
>> like this:
>>
>> ipa-client cannot access the windows AD server
>> ipa-server however can
>> ipa-client will use ipa-server as a KDC proxy and will get a TGT through the
>> IPA KDC-proxy
>>
>> Now, of course kinit winu...@windows.example.com will give:
>>
>> [root@ipa-client7 etc]# kinit winu...@windows.example.com
>> kinit: Cannot find KDC for realm "WINDOWS.EXAMPLE.COM" while getting initial
>> credentials
>>
>> Adding something like this to krb5.conf won't work, still the same error
>> message:
>>
>> WINDOWS.BLABLA.BLA = {
>> pkinit_anchors = FILE:/etc/ipa/ca.crt
>> http_anchors = FILE:/etc/ipa/ca.crt
>> kdc = https://ipa1.linux.example.com/KdcProxy
>> kpasswd_server = https://ipa1.linux.example.com/KdcProxy
>> }
>>
>>
>> Now, is it possible to use the IPA-server as a proxy for the trusted Windows
>> Domain? How...?
> You need to have WINDOWS.EXAMPLE.COM definition on the IPA client that points
> to the KDC proxy
> _and_ WINDOWS.EXAMPLE.COM on IPA master should point to AD DCs.
>
> The latter one should not use proxy but rather specify KDCs properly.
> Alternatively you should have
> dns_lookup_kdc = true For FreeIPA python-kdcproxy has DNS lookup disabled. It only reads config items from /etc/krb5.conf. # cat /etc/ipa/kdcproxy/kdcproxy.conf [global] configs = mit use_dns = false Christian
signature.asc
Description: OpenPGP digital signature
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
