On ma, 28 marras 2016, Troels Hansen wrote:
Hi all

Just wanted to follow up on my recent findings in regards to IPA - AD
trust and kerberos delegations, sa we gave up on this, and just lived
with it not working.

In the end we ended up discovering that for kerberos trust delegation
to work ldap/udp ingoing HAVE to be open on the IPA server!
Correct, this is so-called CLDAP protocol (connectionless LDAP,
389/UDP), which is a key in DC resolution for AD domains.

This requirement is documented in
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Windows_Integration_Guide/index.html#trust-req-ports




----- On Sep 28, 2016, at 11:48 AM, Sumit Bose sb...@redhat.com wrote:

On Wed, Sep 28, 2016 at 11:30:56AM +0200, Troels Hansen wrote:

> Yes, this makes sense as well. If you are not in the forest root you
> first need a cross-realm TGT for your domain and the forest root. Then
> you need a cross-realm TGT for the forest root and the IPA domain.
>
> As a next step you should see a request to the IPA KDC to get the actual
> service ticket for the host in the IPA domain.

Yes, this is the traffic that's never seen in the capture.
It seems Windows(Putty) never asks for at host ticket for the IPA host. I
receive the krbtgt for the IPA domain, but never sees any traffic from the
Windows client to IPA, and thus, never receives the host ticket on the Windows
client.

Please check the other traffic on the client after receiving the
cross-realm ticket for the IPA domain. Since the client get the name to
the IPA realm from the AD DC in the last response I would expect that it
will try some DNS SRV lookups to find a KDC in the IPA realm.

HTH

bye,
Sumit


I'm not at all sure how Kerberos works in Putty, but it seems it uses its own
Kerberos libraryes and that these fail.

I Linux not joined to IPA, just installed with kerberos and use dns config in
krb5.conf can kinit in the NET domain, and ssh to IPA using kerberos just fine,
> so it seems the problem just relates to putty.

--
Med venlig hilsen

Troels Hansen

Systemkonsulent

Casalogic A/S


T (+45) 70 20 10 63

M (+45) 22 43 71 57

Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos og 
meget mere.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to