Re: [Freeipa-users] IPA KDC Proxy
On 2016-01-25 08:17, Winfried de Heiden wrote: > Great, > > Changing > > /etc/ipa/kdcproxy/kdcproxy.conf > [global] > configs = mit > use_dns = false > > to > > # cat /etc/ipa/kdcproxy/kdcproxy.conf > [global] > configs = mit > use_dns = true > > along with adding the windows realm to krb5.conf on the clients did the > trick; I am able to obtain aan AD TGT ticket by using the KDC proxy > > Is there a special reason why "use_dns = false" was used in kdcproxy.conf? The current implementation of the DNS configuration feature is slow and reduce performance of KDC proxy requests. Every request has to fetch multiple SRV records and then resolve each entry in each record again. There is neither caching nor async DNS support, too. A co-worker has written a RFC to address the problem. The RFC hasn't been approved yet. https://tools.ietf.org/html/draft-mccallum-kitten-krb-service-discovery-00 Do you need dynamic configuration or can you get by with static configuration in krb5.conf? Christian signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA KDC Proxy
OK clear, many thanks! Winny Op 25-01-16 om 09:45 schreef Christian Heimes: On 2016-01-25 08:17, Winfried de Heiden wrote: Great, Changing /etc/ipa/kdcproxy/kdcproxy.conf [global] configs = mit use_dns = false to # cat /etc/ipa/kdcproxy/kdcproxy.conf [global] configs = mit use_dns = true along with adding the windows realm to krb5.conf on the clients did the trick; I am able to obtain aan AD TGT ticket by using the KDC proxy Is there a special reason why "use_dns = false" was used in kdcproxy.conf? The current implementation of the DNS configuration feature is slow and reduce performance of KDC proxy requests. Every request has to fetch multiple SRV records and then resolve each entry in each record again. There is neither caching nor async DNS support, too. A co-worker has written a RFC to address the problem. The RFC hasn't been approved yet. https://tools.ietf.org/html/draft-mccallum-kitten-krb-service-discovery-00 Do you need dynamic configuration or can you get by with static configuration in krb5.conf? Christian -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA KDC Proxy
"RHEL 6.x libkrb5 has no support for KDC proxy" Too bad, I was afraid for that Winny Op 25-01-16 om 08:36 schreef Alexander Bokovoy: HEL 6.x libkrb5 has no support for KDC proxy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA KDC Proxy
- Original Message - > Great, > > Changing > > /etc/ipa/kdcproxy/kdcproxy.conf > [global] > configs = mit > use_dns = false > > to > > # cat /etc/ipa/kdcproxy/kdcproxy.conf > [global] > configs = mit > use_dns = true > > along with adding the windows realm to krb5.conf on the clients did the > trick; I am able to obtain aan AD TGT ticket by using the KDC proxy > > Is there a special reason why "use_dns = false" was used in kdcproxy.conf? Yes -- it allows to explicitly control what gets proxied, with no surprises. > Will this work on CentosOS /RHEL 6 as well? No. RHEL 6.x libkrb5 has no support for KDC proxy and it is non-trivial to backport. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA KDC Proxy
Great,
Changing
/etc/ipa/kdcproxy/kdcproxy.conf
[global]
configs = mit
use_dns = false
to
# cat /etc/ipa/kdcproxy/kdcproxy.conf
[global]
configs = mit
use_dns = true
along with adding the windows realm to krb5.conf on the clients
did the trick; I am able to obtain aan AD TGT ticket by using the
KDC proxy
Is there a special reason why "use_dns = false" was used in
kdcproxy.conf?
Will this work on CentosOS /RHEL 6 as well?
Winny
Op 22-01-16 om 12:05 schreef Christian
Heimes:
On 2016-01-22 11:57, Alexander Bokovoy wrote:
- Original Message -
Hi all,
I configured an IPA client using de FreeIPA 4.2 KDC Proxy something like
this:
~
dns_lookup_realm = false
dns_lookup_kdc = false
~
[realms]
LINUX.EXAMPLE.COM = {
pkinit_anchors = FILE:/etc/ipa/ca.crt
http_anchors = FILE:/etc/ipa/ca.crt
kdc = https://ipa1.linux.example.com/KdcProxy
kpasswd_server = https://ipa1.linux.example.com/KdcProxy
}
Now, this seems to work well, I blocked port 88 towards als KDC's, used some
tcpdump and yes: only port 443 towards the IPA server is being used and
kinit will give me a TGT.
However, I do have a trust to a Windows AD-server. I would expect something
like this:
ipa-client cannot access the windows AD server
ipa-server however can
ipa-client will use ipa-server as a KDC proxy and will get a TGT through the
IPA KDC-proxy
Now, of course kinit winu...@windows.example.com will give:
[root@ipa-client7 etc]# kinit winu...@windows.example.com
kinit: Cannot find KDC for realm "WINDOWS.EXAMPLE.COM" while getting initial
credentials
Adding something like this to krb5.conf won't work, still the same error
message:
WINDOWS.BLABLA.BLA = {
pkinit_anchors = FILE:/etc/ipa/ca.crt
http_anchors = FILE:/etc/ipa/ca.crt
kdc = https://ipa1.linux.example.com/KdcProxy
kpasswd_server = https://ipa1.linux.example.com/KdcProxy
}
Now, is it possible to use the IPA-server as a proxy for the trusted Windows
Domain? How...?
You need to have WINDOWS.EXAMPLE.COM definition on the IPA client that points to the KDC proxy
_and_ WINDOWS.EXAMPLE.COM on IPA master should point to AD DCs.
The latter one should not use proxy but rather specify KDCs properly. Alternatively you should have
dns_lookup_kdc = true
For FreeIPA python-kdcproxy has DNS lookup disabled. It only reads
config items from /etc/krb5.conf.
# cat /etc/ipa/kdcproxy/kdcproxy.conf
[global]
configs = mit
use_dns = false
Christian
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA KDC Proxy
- Original Message -
> Hi all,
>
> I configured an IPA client using de FreeIPA 4.2 KDC Proxy something like
> this:
>
> ~
> dns_lookup_realm = false
> dns_lookup_kdc = false
> ~
> [realms]
> LINUX.EXAMPLE.COM = {
> pkinit_anchors = FILE:/etc/ipa/ca.crt
> http_anchors = FILE:/etc/ipa/ca.crt
> kdc = https://ipa1.linux.example.com/KdcProxy
> kpasswd_server = https://ipa1.linux.example.com/KdcProxy
> }
>
> Now, this seems to work well, I blocked port 88 towards als KDC's, used some
> tcpdump and yes: only port 443 towards the IPA server is being used and
> kinit will give me a TGT.
>
> However, I do have a trust to a Windows AD-server. I would expect something
> like this:
>
> ipa-client cannot access the windows AD server
> ipa-server however can
> ipa-client will use ipa-server as a KDC proxy and will get a TGT through the
> IPA KDC-proxy
>
> Now, of course kinit winu...@windows.example.com will give:
>
> [root@ipa-client7 etc]# kinit winu...@windows.example.com
> kinit: Cannot find KDC for realm "WINDOWS.EXAMPLE.COM" while getting initial
> credentials
>
> Adding something like this to krb5.conf won't work, still the same error
> message:
>
> WINDOWS.BLABLA.BLA = {
> pkinit_anchors = FILE:/etc/ipa/ca.crt
> http_anchors = FILE:/etc/ipa/ca.crt
> kdc = https://ipa1.linux.example.com/KdcProxy
> kpasswd_server = https://ipa1.linux.example.com/KdcProxy
> }
>
>
> Now, is it possible to use the IPA-server as a proxy for the trusted Windows
> Domain? How...?
You need to have WINDOWS.EXAMPLE.COM definition on the IPA client that points
to the KDC proxy
_and_ WINDOWS.EXAMPLE.COM on IPA master should point to AD DCs.
The latter one should not use proxy but rather specify KDCs properly.
Alternatively you should have
dns_lookup_kdc = true
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA KDC Proxy
On 2016-01-22 11:57, Alexander Bokovoy wrote:
> - Original Message -
>> Hi all,
>>
>> I configured an IPA client using de FreeIPA 4.2 KDC Proxy something like
>> this:
>>
>> ~
>> dns_lookup_realm = false
>> dns_lookup_kdc = false
>> ~
>> [realms]
>> LINUX.EXAMPLE.COM = {
>> pkinit_anchors = FILE:/etc/ipa/ca.crt
>> http_anchors = FILE:/etc/ipa/ca.crt
>> kdc = https://ipa1.linux.example.com/KdcProxy
>> kpasswd_server = https://ipa1.linux.example.com/KdcProxy
>> }
>>
>> Now, this seems to work well, I blocked port 88 towards als KDC's, used some
>> tcpdump and yes: only port 443 towards the IPA server is being used and
>> kinit will give me a TGT.
>>
>> However, I do have a trust to a Windows AD-server. I would expect something
>> like this:
>>
>> ipa-client cannot access the windows AD server
>> ipa-server however can
>> ipa-client will use ipa-server as a KDC proxy and will get a TGT through the
>> IPA KDC-proxy
>>
>> Now, of course kinit winu...@windows.example.com will give:
>>
>> [root@ipa-client7 etc]# kinit winu...@windows.example.com
>> kinit: Cannot find KDC for realm "WINDOWS.EXAMPLE.COM" while getting initial
>> credentials
>>
>> Adding something like this to krb5.conf won't work, still the same error
>> message:
>>
>> WINDOWS.BLABLA.BLA = {
>> pkinit_anchors = FILE:/etc/ipa/ca.crt
>> http_anchors = FILE:/etc/ipa/ca.crt
>> kdc = https://ipa1.linux.example.com/KdcProxy
>> kpasswd_server = https://ipa1.linux.example.com/KdcProxy
>> }
>>
>>
>> Now, is it possible to use the IPA-server as a proxy for the trusted Windows
>> Domain? How...?
> You need to have WINDOWS.EXAMPLE.COM definition on the IPA client that points
> to the KDC proxy
> _and_ WINDOWS.EXAMPLE.COM on IPA master should point to AD DCs.
>
> The latter one should not use proxy but rather specify KDCs properly.
> Alternatively you should have
> dns_lookup_kdc = true
For FreeIPA python-kdcproxy has DNS lookup disabled. It only reads
config items from /etc/krb5.conf.
# cat /etc/ipa/kdcproxy/kdcproxy.conf
[global]
configs = mit
use_dns = false
Christian
signature.asc
Description: OpenPGP digital signature
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
[Freeipa-users] IPA KDC Proxy
Hi all,
I configured an IPA client using de FreeIPA 4.2 KDC Proxy
something like this:
~
dns_lookup_realm = false
dns_lookup_kdc = false
~
[realms]
LINUX.EXAMPLE.COM = {
pkinit_anchors = FILE:/etc/ipa/ca.crt
http_anchors = FILE:/etc/ipa/ca.crt
kdc = https://ipa1.linux.example.com/KdcProxy
kpasswd_server = https://ipa1.linux.example.com/KdcProxy
}
Now, this seems to work well, I blocked port 88 towards als KDC's,
used some tcpdump and yes: only port 443 towards the IPA server is
being used and kinit will give me a TGT.
However, I do have a trust to a Windows AD-server. I would expect
something like this:
ipa-client cannot access the windows AD server
ipa-server however can
ipa-client will use ipa-server as a KDC proxy and will get a TGT
through the IPA KDC-proxy
Now, of course kinit winu...@windows.example.com will give:
[root@ipa-client7 etc]# kinit winu...@windows.example.com
kinit: Cannot find KDC for realm "WINDOWS.EXAMPLE.COM" while
getting initial credentials
Adding something like this to krb5.conf won't work, still the same
error message:
WINDOWS.BLABLA.BLA = {
pkinit_anchors = FILE:/etc/ipa/ca.crt
http_anchors = FILE:/etc/ipa/ca.crt
kdc = https://ipa1.linux.example.com/KdcProxy
kpasswd_server = https://ipa1.linux.example.com/KdcProxy
}
Now, is it possible to use the IPA-server as a proxy for the
trusted Windows Domain? How...?
Kind regards,
Winny
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA KDC Proxy
On 2016-01-22 11:25, Winfried de Heiden wrote: > Now, is it possible to use the IPA-server as a proxy for the trusted > Windows Domain? How...? I haven't tried yet it but it should be possible. MS-KKDCP requests are prefixed with the requested realm name. You have to configure the mapping from real name to KDC on the *server*, too. The KDC Proxy service uses /etc/krb5.conf to map realms to servers. Please add a configuration for [realms] WINDOWS.EXAMPLE.COM on the IPA server and restart Apache HTTPD. The configuration on IPA server must use the Kerboers protocol over port 88 for KDC, 749 for kadmin and 464 for kpasswd. You can't use KDC Proxy here. Christian signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA KDC Proxy
On Fri, 22 Jan 2016, Christian Heimes wrote:
On 2016-01-22 11:57, Alexander Bokovoy wrote:
- Original Message -
Hi all,
I configured an IPA client using de FreeIPA 4.2 KDC Proxy something like
this:
~
dns_lookup_realm = false
dns_lookup_kdc = false
~
[realms]
LINUX.EXAMPLE.COM = {
pkinit_anchors = FILE:/etc/ipa/ca.crt
http_anchors = FILE:/etc/ipa/ca.crt
kdc = https://ipa1.linux.example.com/KdcProxy
kpasswd_server = https://ipa1.linux.example.com/KdcProxy
}
Now, this seems to work well, I blocked port 88 towards als KDC's, used some
tcpdump and yes: only port 443 towards the IPA server is being used and
kinit will give me a TGT.
However, I do have a trust to a Windows AD-server. I would expect something
like this:
ipa-client cannot access the windows AD server
ipa-server however can
ipa-client will use ipa-server as a KDC proxy and will get a TGT through the
IPA KDC-proxy
Now, of course kinit winu...@windows.example.com will give:
[root@ipa-client7 etc]# kinit winu...@windows.example.com
kinit: Cannot find KDC for realm "WINDOWS.EXAMPLE.COM" while getting initial
credentials
Adding something like this to krb5.conf won't work, still the same error
message:
WINDOWS.BLABLA.BLA = {
pkinit_anchors = FILE:/etc/ipa/ca.crt
http_anchors = FILE:/etc/ipa/ca.crt
kdc = https://ipa1.linux.example.com/KdcProxy
kpasswd_server = https://ipa1.linux.example.com/KdcProxy
}
Now, is it possible to use the IPA-server as a proxy for the trusted Windows
Domain? How...?
You need to have WINDOWS.EXAMPLE.COM definition on the IPA client that points
to the KDC proxy
_and_ WINDOWS.EXAMPLE.COM on IPA master should point to AD DCs.
The latter one should not use proxy but rather specify KDCs properly.
Alternatively you should have
dns_lookup_kdc = true
For FreeIPA python-kdcproxy has DNS lookup disabled. It only reads
config items from /etc/krb5.conf.
# cat /etc/ipa/kdcproxy/kdcproxy.conf
[global]
configs = mit
use_dns = false
Yes, either explicitly define realms that should be accessible via KDC
Proxy or enable use of DNS discovery.
The latter might be needed if there are multiple domains in AD forests
and AD DCs change over time.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
