Re: [Freeipa-users] IPA KDC Proxy
On 2016-01-25 08:17, Winfried de Heiden wrote: > Great, > > Changing > > /etc/ipa/kdcproxy/kdcproxy.conf > [global] > configs = mit > use_dns = false > > to > > # cat /etc/ipa/kdcproxy/kdcproxy.conf > [global] > configs = mit > use_dns = true > > along with adding the windows realm to krb5.conf on the clients did the > trick; I am able to obtain aan AD TGT ticket by using the KDC proxy > > Is there a special reason why "use_dns = false" was used in kdcproxy.conf? The current implementation of the DNS configuration feature is slow and reduce performance of KDC proxy requests. Every request has to fetch multiple SRV records and then resolve each entry in each record again. There is neither caching nor async DNS support, too. A co-worker has written a RFC to address the problem. The RFC hasn't been approved yet. https://tools.ietf.org/html/draft-mccallum-kitten-krb-service-discovery-00 Do you need dynamic configuration or can you get by with static configuration in krb5.conf? Christian signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA KDC Proxy
OK clear, many thanks! Winny Op 25-01-16 om 09:45 schreef Christian Heimes: On 2016-01-25 08:17, Winfried de Heiden wrote: Great, Changing /etc/ipa/kdcproxy/kdcproxy.conf [global] configs = mit use_dns = false to # cat /etc/ipa/kdcproxy/kdcproxy.conf [global] configs = mit use_dns = true along with adding the windows realm to krb5.conf on the clients did the trick; I am able to obtain aan AD TGT ticket by using the KDC proxy Is there a special reason why "use_dns = false" was used in kdcproxy.conf? The current implementation of the DNS configuration feature is slow and reduce performance of KDC proxy requests. Every request has to fetch multiple SRV records and then resolve each entry in each record again. There is neither caching nor async DNS support, too. A co-worker has written a RFC to address the problem. The RFC hasn't been approved yet. https://tools.ietf.org/html/draft-mccallum-kitten-krb-service-discovery-00 Do you need dynamic configuration or can you get by with static configuration in krb5.conf? Christian -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA KDC Proxy
"RHEL 6.x libkrb5 has no support for KDC proxy" Too bad, I was afraid for that Winny Op 25-01-16 om 08:36 schreef Alexander Bokovoy: HEL 6.x libkrb5 has no support for KDC proxy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA KDC Proxy
- Original Message - > Great, > > Changing > > /etc/ipa/kdcproxy/kdcproxy.conf > [global] > configs = mit > use_dns = false > > to > > # cat /etc/ipa/kdcproxy/kdcproxy.conf > [global] > configs = mit > use_dns = true > > along with adding the windows realm to krb5.conf on the clients did the > trick; I am able to obtain aan AD TGT ticket by using the KDC proxy > > Is there a special reason why "use_dns = false" was used in kdcproxy.conf? Yes -- it allows to explicitly control what gets proxied, with no surprises. > Will this work on CentosOS /RHEL 6 as well? No. RHEL 6.x libkrb5 has no support for KDC proxy and it is non-trivial to backport. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA KDC Proxy
Great, Changing /etc/ipa/kdcproxy/kdcproxy.conf [global] configs = mit use_dns = false to # cat /etc/ipa/kdcproxy/kdcproxy.conf [global] configs = mit use_dns = true along with adding the windows realm to krb5.conf on the clients did the trick; I am able to obtain aan AD TGT ticket by using the KDC proxy Is there a special reason why "use_dns = false" was used in kdcproxy.conf? Will this work on CentosOS /RHEL 6 as well? Winny Op 22-01-16 om 12:05 schreef Christian Heimes: On 2016-01-22 11:57, Alexander Bokovoy wrote: - Original Message - Hi all, I configured an IPA client using de FreeIPA 4.2 KDC Proxy something like this: ~ dns_lookup_realm = false dns_lookup_kdc = false ~ [realms] LINUX.EXAMPLE.COM = { pkinit_anchors = FILE:/etc/ipa/ca.crt http_anchors = FILE:/etc/ipa/ca.crt kdc = https://ipa1.linux.example.com/KdcProxy kpasswd_server = https://ipa1.linux.example.com/KdcProxy } Now, this seems to work well, I blocked port 88 towards als KDC's, used some tcpdump and yes: only port 443 towards the IPA server is being used and kinit will give me a TGT. However, I do have a trust to a Windows AD-server. I would expect something like this: ipa-client cannot access the windows AD server ipa-server however can ipa-client will use ipa-server as a KDC proxy and will get a TGT through the IPA KDC-proxy Now, of course kinit winu...@windows.example.com will give: [root@ipa-client7 etc]# kinit winu...@windows.example.com kinit: Cannot find KDC for realm "WINDOWS.EXAMPLE.COM" while getting initial credentials Adding something like this to krb5.conf won't work, still the same error message: WINDOWS.BLABLA.BLA = { pkinit_anchors = FILE:/etc/ipa/ca.crt http_anchors = FILE:/etc/ipa/ca.crt kdc = https://ipa1.linux.example.com/KdcProxy kpasswd_server = https://ipa1.linux.example.com/KdcProxy } Now, is it possible to use the IPA-server as a proxy for the trusted Windows Domain? How...? You need to have WINDOWS.EXAMPLE.COM definition on the IPA client that points to the KDC proxy _and_ WINDOWS.EXAMPLE.COM on IPA master should point to AD DCs. The latter one should not use proxy but rather specify KDCs properly. Alternatively you should have dns_lookup_kdc = true For FreeIPA python-kdcproxy has DNS lookup disabled. It only reads config items from /etc/krb5.conf. # cat /etc/ipa/kdcproxy/kdcproxy.conf [global] configs = mit use_dns = false Christian -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA KDC Proxy
- Original Message - > Hi all, > > I configured an IPA client using de FreeIPA 4.2 KDC Proxy something like > this: > > ~ > dns_lookup_realm = false > dns_lookup_kdc = false > ~ > [realms] > LINUX.EXAMPLE.COM = { > pkinit_anchors = FILE:/etc/ipa/ca.crt > http_anchors = FILE:/etc/ipa/ca.crt > kdc = https://ipa1.linux.example.com/KdcProxy > kpasswd_server = https://ipa1.linux.example.com/KdcProxy > } > > Now, this seems to work well, I blocked port 88 towards als KDC's, used some > tcpdump and yes: only port 443 towards the IPA server is being used and > kinit will give me a TGT. > > However, I do have a trust to a Windows AD-server. I would expect something > like this: > > ipa-client cannot access the windows AD server > ipa-server however can > ipa-client will use ipa-server as a KDC proxy and will get a TGT through the > IPA KDC-proxy > > Now, of course kinit winu...@windows.example.com will give: > > [root@ipa-client7 etc]# kinit winu...@windows.example.com > kinit: Cannot find KDC for realm "WINDOWS.EXAMPLE.COM" while getting initial > credentials > > Adding something like this to krb5.conf won't work, still the same error > message: > > WINDOWS.BLABLA.BLA = { > pkinit_anchors = FILE:/etc/ipa/ca.crt > http_anchors = FILE:/etc/ipa/ca.crt > kdc = https://ipa1.linux.example.com/KdcProxy > kpasswd_server = https://ipa1.linux.example.com/KdcProxy > } > > > Now, is it possible to use the IPA-server as a proxy for the trusted Windows > Domain? How...? You need to have WINDOWS.EXAMPLE.COM definition on the IPA client that points to the KDC proxy _and_ WINDOWS.EXAMPLE.COM on IPA master should point to AD DCs. The latter one should not use proxy but rather specify KDCs properly. Alternatively you should have dns_lookup_kdc = true -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA KDC Proxy
On 2016-01-22 11:57, Alexander Bokovoy wrote: > - Original Message - >> Hi all, >> >> I configured an IPA client using de FreeIPA 4.2 KDC Proxy something like >> this: >> >> ~ >> dns_lookup_realm = false >> dns_lookup_kdc = false >> ~ >> [realms] >> LINUX.EXAMPLE.COM = { >> pkinit_anchors = FILE:/etc/ipa/ca.crt >> http_anchors = FILE:/etc/ipa/ca.crt >> kdc = https://ipa1.linux.example.com/KdcProxy >> kpasswd_server = https://ipa1.linux.example.com/KdcProxy >> } >> >> Now, this seems to work well, I blocked port 88 towards als KDC's, used some >> tcpdump and yes: only port 443 towards the IPA server is being used and >> kinit will give me a TGT. >> >> However, I do have a trust to a Windows AD-server. I would expect something >> like this: >> >> ipa-client cannot access the windows AD server >> ipa-server however can >> ipa-client will use ipa-server as a KDC proxy and will get a TGT through the >> IPA KDC-proxy >> >> Now, of course kinit winu...@windows.example.com will give: >> >> [root@ipa-client7 etc]# kinit winu...@windows.example.com >> kinit: Cannot find KDC for realm "WINDOWS.EXAMPLE.COM" while getting initial >> credentials >> >> Adding something like this to krb5.conf won't work, still the same error >> message: >> >> WINDOWS.BLABLA.BLA = { >> pkinit_anchors = FILE:/etc/ipa/ca.crt >> http_anchors = FILE:/etc/ipa/ca.crt >> kdc = https://ipa1.linux.example.com/KdcProxy >> kpasswd_server = https://ipa1.linux.example.com/KdcProxy >> } >> >> >> Now, is it possible to use the IPA-server as a proxy for the trusted Windows >> Domain? How...? > You need to have WINDOWS.EXAMPLE.COM definition on the IPA client that points > to the KDC proxy > _and_ WINDOWS.EXAMPLE.COM on IPA master should point to AD DCs. > > The latter one should not use proxy but rather specify KDCs properly. > Alternatively you should have > dns_lookup_kdc = true For FreeIPA python-kdcproxy has DNS lookup disabled. It only reads config items from /etc/krb5.conf. # cat /etc/ipa/kdcproxy/kdcproxy.conf [global] configs = mit use_dns = false Christian signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] IPA KDC Proxy
Hi all, I configured an IPA client using de FreeIPA 4.2 KDC Proxy something like this: ~ dns_lookup_realm = false dns_lookup_kdc = false ~ [realms] LINUX.EXAMPLE.COM = { pkinit_anchors = FILE:/etc/ipa/ca.crt http_anchors = FILE:/etc/ipa/ca.crt kdc = https://ipa1.linux.example.com/KdcProxy kpasswd_server = https://ipa1.linux.example.com/KdcProxy } Now, this seems to work well, I blocked port 88 towards als KDC's, used some tcpdump and yes: only port 443 towards the IPA server is being used and kinit will give me a TGT. However, I do have a trust to a Windows AD-server. I would expect something like this: ipa-client cannot access the windows AD server ipa-server however can ipa-client will use ipa-server as a KDC proxy and will get a TGT through the IPA KDC-proxy Now, of course kinit winu...@windows.example.com will give: [root@ipa-client7 etc]# kinit winu...@windows.example.com kinit: Cannot find KDC for realm "WINDOWS.EXAMPLE.COM" while getting initial credentials Adding something like this to krb5.conf won't work, still the same error message: WINDOWS.BLABLA.BLA = { pkinit_anchors = FILE:/etc/ipa/ca.crt http_anchors = FILE:/etc/ipa/ca.crt kdc = https://ipa1.linux.example.com/KdcProxy kpasswd_server = https://ipa1.linux.example.com/KdcProxy } Now, is it possible to use the IPA-server as a proxy for the trusted Windows Domain? How...? Kind regards, Winny -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA KDC Proxy
On 2016-01-22 11:25, Winfried de Heiden wrote: > Now, is it possible to use the IPA-server as a proxy for the trusted > Windows Domain? How...? I haven't tried yet it but it should be possible. MS-KKDCP requests are prefixed with the requested realm name. You have to configure the mapping from real name to KDC on the *server*, too. The KDC Proxy service uses /etc/krb5.conf to map realms to servers. Please add a configuration for [realms] WINDOWS.EXAMPLE.COM on the IPA server and restart Apache HTTPD. The configuration on IPA server must use the Kerboers protocol over port 88 for KDC, 749 for kadmin and 464 for kpasswd. You can't use KDC Proxy here. Christian signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA KDC Proxy
On Fri, 22 Jan 2016, Christian Heimes wrote: On 2016-01-22 11:57, Alexander Bokovoy wrote: - Original Message - Hi all, I configured an IPA client using de FreeIPA 4.2 KDC Proxy something like this: ~ dns_lookup_realm = false dns_lookup_kdc = false ~ [realms] LINUX.EXAMPLE.COM = { pkinit_anchors = FILE:/etc/ipa/ca.crt http_anchors = FILE:/etc/ipa/ca.crt kdc = https://ipa1.linux.example.com/KdcProxy kpasswd_server = https://ipa1.linux.example.com/KdcProxy } Now, this seems to work well, I blocked port 88 towards als KDC's, used some tcpdump and yes: only port 443 towards the IPA server is being used and kinit will give me a TGT. However, I do have a trust to a Windows AD-server. I would expect something like this: ipa-client cannot access the windows AD server ipa-server however can ipa-client will use ipa-server as a KDC proxy and will get a TGT through the IPA KDC-proxy Now, of course kinit winu...@windows.example.com will give: [root@ipa-client7 etc]# kinit winu...@windows.example.com kinit: Cannot find KDC for realm "WINDOWS.EXAMPLE.COM" while getting initial credentials Adding something like this to krb5.conf won't work, still the same error message: WINDOWS.BLABLA.BLA = { pkinit_anchors = FILE:/etc/ipa/ca.crt http_anchors = FILE:/etc/ipa/ca.crt kdc = https://ipa1.linux.example.com/KdcProxy kpasswd_server = https://ipa1.linux.example.com/KdcProxy } Now, is it possible to use the IPA-server as a proxy for the trusted Windows Domain? How...? You need to have WINDOWS.EXAMPLE.COM definition on the IPA client that points to the KDC proxy _and_ WINDOWS.EXAMPLE.COM on IPA master should point to AD DCs. The latter one should not use proxy but rather specify KDCs properly. Alternatively you should have dns_lookup_kdc = true For FreeIPA python-kdcproxy has DNS lookup disabled. It only reads config items from /etc/krb5.conf. # cat /etc/ipa/kdcproxy/kdcproxy.conf [global] configs = mit use_dns = false Yes, either explicitly define realms that should be accessible via KDC Proxy or enable use of DNS discovery. The latter might be needed if there are multiple domains in AD forests and AD DCs change over time. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project