> -----Original Message-----
> From: Baird, Josh [mailto:jba...@follett.com]
> Sent: Tuesday, February 2, 2016 9:13 AM
> To: Andy Thompson <andy.thomp...@e-tcc.com>; freeipa-
> us...@redhat.com
> Subject: RE: freeipa client in DMZ
> 
> I believe the sssd clients will need to communicate directly with your AD
> domain controllers, unfortunately.  I wish there was a clean way around this,
> since we have a ton of DC's in our HUB site, and I don't really want to poke
> holes in the firewall(s) for all of them.
> 
> Would someone from sssd/IPA mind chiming in here?  What exactly needs to
> be open?  What DNS record can we query to get the exact list of DC's that
> need to be available?  Is there a way to restrict the list of domain 
> controllers
> that certain sssd clients need to communicate with (for scenarios like this)?
> 
> Thanks,
> 
> Josh
> 
> > -----Original Message-----
> > From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-
> > boun...@redhat.com] On Behalf Of Andy Thompson
> > Sent: Tuesday, February 02, 2016 9:04 AM
> > To: freeipa-users@redhat.com
> > Subject: [Freeipa-users] freeipa client in DMZ
> >
> > Are ports required to be open for a freeipa client in a DMZ to the AD
> > DCs for trusted users to login?  I've got everything open to the IPA
> > servers required and can lookup users and sudo rules and such but
> > trusted users are not able to login.
> >
> > Thanks
> >
> > -andy
> >
> >

Going through my firewall logs it appears kerberos needs opened to the DCs at a 
minimum although I dropped 464 in there as well.  Once I opened that up I was 
able to authenticate

I'm not much of an AD guy so I don't know if there is a way to limit the 
servers accessed within AD.  In my environment I had to setup separate DNS 
servers for the AD domain due to the environment setup so I could control it 
that way by removing DC records from that DNS environment.  My thought is that 
it relies on the _kerberos._tcp srv records

-andy

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to