Re: [Freeipa-users] IPA KDC Proxy

2016-01-25 Thread Christian Heimes
On 2016-01-25 08:17, Winfried de Heiden wrote:
> Great,
> 
> Changing
> 
> /etc/ipa/kdcproxy/kdcproxy.conf
> [global]
> configs = mit
> use_dns = false
> 
> to
> 
> # cat /etc/ipa/kdcproxy/kdcproxy.conf
> [global]
> configs = mit
> use_dns = true
> 
> along with adding the windows realm to krb5.conf on the clients did the
> trick; I am able to obtain aan AD TGT ticket by using the KDC proxy
> 
> Is there a special reason why "use_dns = false" was used in kdcproxy.conf?

The current implementation of the DNS configuration feature is slow and
reduce performance of KDC proxy requests. Every request has to fetch
multiple SRV records and then resolve each entry in each record again.
There is neither caching nor async DNS support, too.

A co-worker has written a RFC to address the problem. The RFC hasn't
been approved yet.
https://tools.ietf.org/html/draft-mccallum-kitten-krb-service-discovery-00

Do you need dynamic configuration or can you get by with static
configuration in krb5.conf?

Christian



signature.asc
Description: OpenPGP digital signature
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA KDC Proxy

2016-01-25 Thread Winfried de Heiden

  
  
OK clear, many thanks!
  
  Winny

Op 25-01-16 om 09:45 schreef Christian
  Heimes:


  On 2016-01-25 08:17, Winfried de Heiden wrote:

  
Great,

Changing

/etc/ipa/kdcproxy/kdcproxy.conf
[global]
configs = mit
use_dns = false

to

# cat /etc/ipa/kdcproxy/kdcproxy.conf
[global]
configs = mit
use_dns = true

along with adding the windows realm to krb5.conf on the clients did the
trick; I am able to obtain aan AD TGT ticket by using the KDC proxy

Is there a special reason why "use_dns = false" was used in kdcproxy.conf?

  
  
The current implementation of the DNS configuration feature is slow and
reduce performance of KDC proxy requests. Every request has to fetch
multiple SRV records and then resolve each entry in each record again.
There is neither caching nor async DNS support, too.

A co-worker has written a RFC to address the problem. The RFC hasn't
been approved yet.
https://tools.ietf.org/html/draft-mccallum-kitten-krb-service-discovery-00

Do you need dynamic configuration or can you get by with static
configuration in krb5.conf?

Christian




  


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA KDC Proxy

2016-01-25 Thread Winfried de Heiden

  
  
"RHEL 6.x libkrb5 has no support for KDC proxy"
  
  Too bad, I was afraid for that
  
  Winny

Op 25-01-16 om 08:36 schreef Alexander
  Bokovoy:


  HEL 6.x libkrb5 has no support for KDC proxy 


  


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA KDC Proxy

2016-01-24 Thread Alexander Bokovoy


- Original Message -
> Great,
> 
> Changing
> 
> /etc/ipa/kdcproxy/kdcproxy.conf
> [global]
> configs = mit
> use_dns = false
> 
> to
> 
> # cat /etc/ipa/kdcproxy/kdcproxy.conf
> [global]
> configs = mit
> use_dns = true
> 
> along with adding the windows realm to krb5.conf on the clients did the
> trick; I am able to obtain aan AD TGT ticket by using the KDC proxy
> 
> Is there a special reason why "use_dns = false" was used in kdcproxy.conf?
Yes -- it allows to explicitly control what gets proxied, with no surprises.
 
> Will this work on CentosOS /RHEL 6 as well?
No. RHEL 6.x libkrb5 has no support for KDC proxy and it is non-trivial to 
backport.

-- 
/ Alexander Bokovoy

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] IPA KDC Proxy

2016-01-24 Thread Winfried de Heiden

  
  
Great,
  
  Changing
  
  /etc/ipa/kdcproxy/kdcproxy.conf
  [global]
  configs = mit
  use_dns = false
  
  to
  
  # cat /etc/ipa/kdcproxy/kdcproxy.conf
  [global]
  configs = mit
  use_dns = true
  
  along with adding the windows realm to krb5.conf on the clients
  did the trick; I am able to obtain aan AD TGT ticket by using the
  KDC proxy
  
  Is there a special reason why "use_dns = false" was used in
  kdcproxy.conf?
  
  Will this work on CentosOS /RHEL 6 as well?
  
  Winny

Op 22-01-16 om 12:05 schreef Christian
  Heimes:


  On 2016-01-22 11:57, Alexander Bokovoy wrote:

  
- Original Message -


  Hi all,

I configured an IPA client using de FreeIPA 4.2 KDC Proxy something like
this:

~
dns_lookup_realm = false
dns_lookup_kdc = false
~
[realms]
LINUX.EXAMPLE.COM = {
pkinit_anchors = FILE:/etc/ipa/ca.crt
http_anchors = FILE:/etc/ipa/ca.crt
kdc = https://ipa1.linux.example.com/KdcProxy
kpasswd_server = https://ipa1.linux.example.com/KdcProxy
}

Now, this seems to work well, I blocked port 88 towards als KDC's, used some
tcpdump and yes: only port 443 towards the IPA server is being used and
kinit will give me a TGT.

However, I do have a trust to a Windows AD-server. I would expect something
like this:

ipa-client cannot access the windows AD server
ipa-server however can
ipa-client will use ipa-server as a KDC proxy and will get a TGT through the
IPA KDC-proxy

Now, of course kinit winu...@windows.example.com will give:

[root@ipa-client7 etc]# kinit winu...@windows.example.com
kinit: Cannot find KDC for realm "WINDOWS.EXAMPLE.COM" while getting initial
credentials

Adding something like this to krb5.conf won't work, still the same error
message:

WINDOWS.BLABLA.BLA = {
pkinit_anchors = FILE:/etc/ipa/ca.crt
http_anchors = FILE:/etc/ipa/ca.crt
kdc = https://ipa1.linux.example.com/KdcProxy
kpasswd_server = https://ipa1.linux.example.com/KdcProxy
}


Now, is it possible to use the IPA-server as a proxy for the trusted Windows
Domain? How...?


You need to have WINDOWS.EXAMPLE.COM definition on the IPA client that points to the KDC proxy
_and_ WINDOWS.EXAMPLE.COM on IPA master should point to AD DCs.

The latter one should not use proxy but rather specify KDCs properly. Alternatively you should have 
 dns_lookup_kdc = true 

  
  
For FreeIPA python-kdcproxy has DNS lookup disabled. It only reads
config items from /etc/krb5.conf.

# cat /etc/ipa/kdcproxy/kdcproxy.conf
[global]
configs = mit
use_dns = false

Christian





  


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA KDC Proxy

2016-01-22 Thread Alexander Bokovoy
- Original Message -
> Hi all,
> 
> I configured an IPA client using de FreeIPA 4.2 KDC Proxy something like
> this:
> 
> ~
> dns_lookup_realm = false
> dns_lookup_kdc = false
> ~
> [realms]
> LINUX.EXAMPLE.COM = {
> pkinit_anchors = FILE:/etc/ipa/ca.crt
> http_anchors = FILE:/etc/ipa/ca.crt
> kdc = https://ipa1.linux.example.com/KdcProxy
> kpasswd_server = https://ipa1.linux.example.com/KdcProxy
> }
> 
> Now, this seems to work well, I blocked port 88 towards als KDC's, used some
> tcpdump and yes: only port 443 towards the IPA server is being used and
> kinit will give me a TGT.
> 
> However, I do have a trust to a Windows AD-server. I would expect something
> like this:
> 
> ipa-client cannot access the windows AD server
> ipa-server however can
> ipa-client will use ipa-server as a KDC proxy and will get a TGT through the
> IPA KDC-proxy
> 
> Now, of course kinit winu...@windows.example.com will give:
> 
> [root@ipa-client7 etc]# kinit winu...@windows.example.com
> kinit: Cannot find KDC for realm "WINDOWS.EXAMPLE.COM" while getting initial
> credentials
> 
> Adding something like this to krb5.conf won't work, still the same error
> message:
> 
> WINDOWS.BLABLA.BLA = {
> pkinit_anchors = FILE:/etc/ipa/ca.crt
> http_anchors = FILE:/etc/ipa/ca.crt
> kdc = https://ipa1.linux.example.com/KdcProxy
> kpasswd_server = https://ipa1.linux.example.com/KdcProxy
> }
> 
> 
> Now, is it possible to use the IPA-server as a proxy for the trusted Windows
> Domain? How...?
You need to have WINDOWS.EXAMPLE.COM definition on the IPA client that points 
to the KDC proxy
_and_ WINDOWS.EXAMPLE.COM on IPA master should point to AD DCs.

The latter one should not use proxy but rather specify KDCs properly. 
Alternatively you should have 
 dns_lookup_kdc = true 

-- 
/ Alexander Bokovoy

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] IPA KDC Proxy

2016-01-22 Thread Christian Heimes
On 2016-01-22 11:57, Alexander Bokovoy wrote:
> - Original Message -
>> Hi all,
>>
>> I configured an IPA client using de FreeIPA 4.2 KDC Proxy something like
>> this:
>>
>> ~
>> dns_lookup_realm = false
>> dns_lookup_kdc = false
>> ~
>> [realms]
>> LINUX.EXAMPLE.COM = {
>> pkinit_anchors = FILE:/etc/ipa/ca.crt
>> http_anchors = FILE:/etc/ipa/ca.crt
>> kdc = https://ipa1.linux.example.com/KdcProxy
>> kpasswd_server = https://ipa1.linux.example.com/KdcProxy
>> }
>>
>> Now, this seems to work well, I blocked port 88 towards als KDC's, used some
>> tcpdump and yes: only port 443 towards the IPA server is being used and
>> kinit will give me a TGT.
>>
>> However, I do have a trust to a Windows AD-server. I would expect something
>> like this:
>>
>> ipa-client cannot access the windows AD server
>> ipa-server however can
>> ipa-client will use ipa-server as a KDC proxy and will get a TGT through the
>> IPA KDC-proxy
>>
>> Now, of course kinit winu...@windows.example.com will give:
>>
>> [root@ipa-client7 etc]# kinit winu...@windows.example.com
>> kinit: Cannot find KDC for realm "WINDOWS.EXAMPLE.COM" while getting initial
>> credentials
>>
>> Adding something like this to krb5.conf won't work, still the same error
>> message:
>>
>> WINDOWS.BLABLA.BLA = {
>> pkinit_anchors = FILE:/etc/ipa/ca.crt
>> http_anchors = FILE:/etc/ipa/ca.crt
>> kdc = https://ipa1.linux.example.com/KdcProxy
>> kpasswd_server = https://ipa1.linux.example.com/KdcProxy
>> }
>>
>>
>> Now, is it possible to use the IPA-server as a proxy for the trusted Windows
>> Domain? How...?
> You need to have WINDOWS.EXAMPLE.COM definition on the IPA client that points 
> to the KDC proxy
> _and_ WINDOWS.EXAMPLE.COM on IPA master should point to AD DCs.
> 
> The latter one should not use proxy but rather specify KDCs properly. 
> Alternatively you should have 
>  dns_lookup_kdc = true 

For FreeIPA python-kdcproxy has DNS lookup disabled. It only reads
config items from /etc/krb5.conf.

# cat /etc/ipa/kdcproxy/kdcproxy.conf
[global]
configs = mit
use_dns = false

Christian




signature.asc
Description: OpenPGP digital signature
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA KDC Proxy

2016-01-22 Thread Christian Heimes
On 2016-01-22 11:25, Winfried de Heiden wrote:
> Now, is it possible to use the IPA-server as a proxy for the trusted
> Windows Domain? How...?

I haven't tried yet it but it should be possible. MS-KKDCP requests are
prefixed with the requested realm name. You have to configure the
mapping from real name to KDC on the *server*, too. The KDC Proxy
service uses /etc/krb5.conf to map realms to servers.

Please add a configuration for [realms] WINDOWS.EXAMPLE.COM on the IPA
server and restart Apache HTTPD. The configuration on IPA server must
use the Kerboers protocol over port 88 for KDC, 749 for kadmin and 464
for kpasswd. You can't use KDC Proxy here.

Christian



signature.asc
Description: OpenPGP digital signature
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA KDC Proxy

2016-01-22 Thread Alexander Bokovoy

On Fri, 22 Jan 2016, Christian Heimes wrote:

On 2016-01-22 11:57, Alexander Bokovoy wrote:

- Original Message -

Hi all,

I configured an IPA client using de FreeIPA 4.2 KDC Proxy something like
this:

~
dns_lookup_realm = false
dns_lookup_kdc = false
~
[realms]
LINUX.EXAMPLE.COM = {
pkinit_anchors = FILE:/etc/ipa/ca.crt
http_anchors = FILE:/etc/ipa/ca.crt
kdc = https://ipa1.linux.example.com/KdcProxy
kpasswd_server = https://ipa1.linux.example.com/KdcProxy
}

Now, this seems to work well, I blocked port 88 towards als KDC's, used some
tcpdump and yes: only port 443 towards the IPA server is being used and
kinit will give me a TGT.

However, I do have a trust to a Windows AD-server. I would expect something
like this:

ipa-client cannot access the windows AD server
ipa-server however can
ipa-client will use ipa-server as a KDC proxy and will get a TGT through the
IPA KDC-proxy

Now, of course kinit winu...@windows.example.com will give:

[root@ipa-client7 etc]# kinit winu...@windows.example.com
kinit: Cannot find KDC for realm "WINDOWS.EXAMPLE.COM" while getting initial
credentials

Adding something like this to krb5.conf won't work, still the same error
message:

WINDOWS.BLABLA.BLA = {
pkinit_anchors = FILE:/etc/ipa/ca.crt
http_anchors = FILE:/etc/ipa/ca.crt
kdc = https://ipa1.linux.example.com/KdcProxy
kpasswd_server = https://ipa1.linux.example.com/KdcProxy
}


Now, is it possible to use the IPA-server as a proxy for the trusted Windows
Domain? How...?

You need to have WINDOWS.EXAMPLE.COM definition on the IPA client that points 
to the KDC proxy
_and_ WINDOWS.EXAMPLE.COM on IPA master should point to AD DCs.

The latter one should not use proxy but rather specify KDCs properly. 
Alternatively you should have
 dns_lookup_kdc = true


For FreeIPA python-kdcproxy has DNS lookup disabled. It only reads
config items from /etc/krb5.conf.

# cat /etc/ipa/kdcproxy/kdcproxy.conf
[global]
configs = mit
use_dns = false

Yes, either explicitly define realms that should be accessible via KDC
Proxy or enable use of DNS discovery.

The latter might be needed if there are multiple domains in AD forests
and AD DCs change over time.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project