Hi all Just wanted to follow up on my recent findings in regards to IPA - AD trust and kerberos delegations, sa we gave up on this, and just lived with it not working.
In the end we ended up discovering that for kerberos trust delegation to work ldap/udp ingoing HAVE to be open on the IPA server! ----- On Sep 28, 2016, at 11:48 AM, Sumit Bose sb...@redhat.com wrote: > On Wed, Sep 28, 2016 at 11:30:56AM +0200, Troels Hansen wrote: >> >> > Yes, this makes sense as well. If you are not in the forest root you >> > first need a cross-realm TGT for your domain and the forest root. Then >> > you need a cross-realm TGT for the forest root and the IPA domain. >> > >> > As a next step you should see a request to the IPA KDC to get the actual >> > service ticket for the host in the IPA domain. >> >> Yes, this is the traffic that's never seen in the capture. >> It seems Windows(Putty) never asks for at host ticket for the IPA host. I >> receive the krbtgt for the IPA domain, but never sees any traffic from the >> Windows client to IPA, and thus, never receives the host ticket on the >> Windows >> client. > > Please check the other traffic on the client after receiving the > cross-realm ticket for the IPA domain. Since the client get the name to > the IPA realm from the AD DC in the last response I would expect that it > will try some DNS SRV lookups to find a KDC in the IPA realm. > > HTH > > bye, > Sumit > >> >> I'm not at all sure how Kerberos works in Putty, but it seems it uses its own >> Kerberos libraryes and that these fail. >> >> I Linux not joined to IPA, just installed with kerberos and use dns config in >> krb5.conf can kinit in the NET domain, and ssh to IPA using kerberos just >> fine, > > so it seems the problem just relates to putty. -- Med venlig hilsen Troels Hansen Systemkonsulent Casalogic A/S T (+45) 70 20 10 63 M (+45) 22 43 71 57 Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos og meget mere. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project