On 2016-01-22 11:57, Alexander Bokovoy wrote: > ----- Original Message ----- >> Hi all, >> >> I configured an IPA client using de FreeIPA 4.2 KDC Proxy something like >> this: >> >> ~ >> dns_lookup_realm = false >> dns_lookup_kdc = false >> ~ >> [realms] >> LINUX.EXAMPLE.COM = { >> pkinit_anchors = FILE:/etc/ipa/ca.crt >> http_anchors = FILE:/etc/ipa/ca.crt >> kdc = https://ipa1.linux.example.com/KdcProxy >> kpasswd_server = https://ipa1.linux.example.com/KdcProxy >> } >> >> Now, this seems to work well, I blocked port 88 towards als KDC's, used some >> tcpdump and yes: only port 443 towards the IPA server is being used and >> kinit will give me a TGT. >> >> However, I do have a trust to a Windows AD-server. I would expect something >> like this: >> >> ipa-client cannot access the windows AD server >> ipa-server however can >> ipa-client will use ipa-server as a KDC proxy and will get a TGT through the >> IPA KDC-proxy >> >> Now, of course kinit winu...@windows.example.com will give: >> >> [root@ipa-client7 etc]# kinit winu...@windows.example.com >> kinit: Cannot find KDC for realm "WINDOWS.EXAMPLE.COM" while getting initial >> credentials >> >> Adding something like this to krb5.conf won't work, still the same error >> message: >> >> WINDOWS.BLABLA.BLA = { >> pkinit_anchors = FILE:/etc/ipa/ca.crt >> http_anchors = FILE:/etc/ipa/ca.crt >> kdc = https://ipa1.linux.example.com/KdcProxy >> kpasswd_server = https://ipa1.linux.example.com/KdcProxy >> } >> >> >> Now, is it possible to use the IPA-server as a proxy for the trusted Windows >> Domain? How...? > You need to have WINDOWS.EXAMPLE.COM definition on the IPA client that points > to the KDC proxy > _and_ WINDOWS.EXAMPLE.COM on IPA master should point to AD DCs. > > The latter one should not use proxy but rather specify KDCs properly. > Alternatively you should have > dns_lookup_kdc = true
For FreeIPA python-kdcproxy has DNS lookup disabled. It only reads config items from /etc/krb5.conf. # cat /etc/ipa/kdcproxy/kdcproxy.conf [global] configs = mit use_dns = false Christian
signature.asc
Description: OpenPGP digital signature
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project