Re: [Freeipa-users] freeipa client in DMZ
On Tue, Feb 02, 2016 at 02:12:58PM +, Baird, Josh wrote: > I believe the sssd clients will need to communicate directly with your AD > domain controllers, unfortunately. I wish there was a clean way around this, > since we have a ton of DC's in our HUB site, and I don't really want to poke > holes in the firewall(s) for all of them. > > Would someone from sssd/IPA mind chiming in here? What exactly needs to be > open? What DNS record can we query to get the exact list of DC's that need > to be available? Is there a way to restrict the list of domain controllers > that certain sssd clients need to communicate with (for scenarios like this)? The clients only need to communicate with AD during authentication and only for password authentication. Since the authentication is Kerberos based port 88 should be open and although typically it is sufficient for Kerberos to use UDP in the AD case we need TCP as well because AD Kerberos tickets are too large for UDP due to the PAC data in the ticket. If you want to allow password changes you have to open port 749 as well. For the trusted domain SSSD delegates everything including finding a suitable KDC to libkrb5. If 'dns_lookup_kdc = true' and no realm definition is available for the AD domain in /etc/krb5.conf libkrb5 will do a SRV query for _kerberos._tcp.ad.domain (no sites or other AD specific options). If you want to restrict the AD servers the clients want to talk and keep the holes in the firewall small I would suggest to add the AD realms to /etc/krb5.conf which only contains the KDC the clients should talk to. HTH bye, Sumit > > Thanks, > > Josh > > > -Original Message- > > From: freeipa-users-boun...@redhat.com [mailto:freeipa-users- > > boun...@redhat.com] On Behalf Of Andy Thompson > > Sent: Tuesday, February 02, 2016 9:04 AM > > To: freeipa-users@redhat.com > > Subject: [Freeipa-users] freeipa client in DMZ > > > > Are ports required to be open for a freeipa client in a DMZ to the AD DCs > > for > > trusted users to login? I've got everything open to the IPA servers > > required > > and can lookup users and sudo rules and such but trusted users are not able > > to login. > > > > Thanks > > > > -andy > > > > > > > > *** This communication may contain privileged and/or confidential > > information. It is intended solely for the use of the addressee. If you are > > not > > the intended recipient, you are strictly prohibited from disclosing, > > copying, > > distributing or using any of this information. If you received this > > communication in error, please contact the sender immediately and destroy > > the material in its entirety, whether electronic or hard copy. *** > > > > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa client in DMZ
> -Original Message- > From: Baird, Josh [mailto:jba...@follett.com] > Sent: Tuesday, February 2, 2016 9:13 AM > To: Andy Thompson; freeipa- > us...@redhat.com > Subject: RE: freeipa client in DMZ > > I believe the sssd clients will need to communicate directly with your AD > domain controllers, unfortunately. I wish there was a clean way around this, > since we have a ton of DC's in our HUB site, and I don't really want to poke > holes in the firewall(s) for all of them. > > Would someone from sssd/IPA mind chiming in here? What exactly needs to > be open? What DNS record can we query to get the exact list of DC's that > need to be available? Is there a way to restrict the list of domain > controllers > that certain sssd clients need to communicate with (for scenarios like this)? > > Thanks, > > Josh > > > -Original Message- > > From: freeipa-users-boun...@redhat.com [mailto:freeipa-users- > > boun...@redhat.com] On Behalf Of Andy Thompson > > Sent: Tuesday, February 02, 2016 9:04 AM > > To: freeipa-users@redhat.com > > Subject: [Freeipa-users] freeipa client in DMZ > > > > Are ports required to be open for a freeipa client in a DMZ to the AD > > DCs for trusted users to login? I've got everything open to the IPA > > servers required and can lookup users and sudo rules and such but > > trusted users are not able to login. > > > > Thanks > > > > -andy > > > > Going through my firewall logs it appears kerberos needs opened to the DCs at a minimum although I dropped 464 in there as well. Once I opened that up I was able to authenticate I'm not much of an AD guy so I don't know if there is a way to limit the servers accessed within AD. In my environment I had to setup separate DNS servers for the AD domain due to the environment setup so I could control it that way by removing DC records from that DNS environment. My thought is that it relies on the _kerberos._tcp srv records -andy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa client in DMZ
On Tue, 02 Feb 2016, Baird, Josh wrote: I believe the sssd clients will need to communicate directly with your AD domain controllers, unfortunately. I wish there was a clean way around this, since we have a ton of DC's in our HUB site, and I don't really want to poke holes in the firewall(s) for all of them. There is a way with FreeIPA 4.2+, but you need to have MIT Kerberos 1.13 on the client side. This way all clients will talk to IPA masters and IPA master would serve as Kerberos proxy using MS-KKDCP protocol. Would someone from sssd/IPA mind chiming in here? What exactly needs to be open? What DNS record can we query to get the exact list of DC's that need to be available? Is there a way to restrict the list of domain controllers that certain sssd clients need to communicate with (for scenarios like this)? For normal IPA-AD trust following is needed from IPA clients: - access from IPA client to AD DCs for Kerberos (port 88 TCP/UDP, 464 TCP/UDP) - access from IPA client to IPA master for LDAP (389 TCP), Kerberos (port 88 TCP/UDP, port 464 TCP/UDP) - access from IPA client to your DNS server (53 UDP), whatever that could be There might be other ports too, I don't remember off-hand. If you want to block certain domain controllers from being accessible by IPA clients, make sure you are doing it with rejection so that SSSD and Kerberos library would properly jump to the next discovered AD DC. DNS SRV records often contain all AD DCs and there is no support for sites in Kerberos library to pick up only the local ones, it takes what is given from DNS SRV records (if use of DNS-based discovery is enabled) and tries them one by one. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] freeipa client in DMZ
I believe the sssd clients will need to communicate directly with your AD domain controllers, unfortunately. I wish there was a clean way around this, since we have a ton of DC's in our HUB site, and I don't really want to poke holes in the firewall(s) for all of them. Would someone from sssd/IPA mind chiming in here? What exactly needs to be open? What DNS record can we query to get the exact list of DC's that need to be available? Is there a way to restrict the list of domain controllers that certain sssd clients need to communicate with (for scenarios like this)? Thanks, Josh > -Original Message- > From: freeipa-users-boun...@redhat.com [mailto:freeipa-users- > boun...@redhat.com] On Behalf Of Andy Thompson > Sent: Tuesday, February 02, 2016 9:04 AM > To: freeipa-users@redhat.com > Subject: [Freeipa-users] freeipa client in DMZ > > Are ports required to be open for a freeipa client in a DMZ to the AD DCs for > trusted users to login? I've got everything open to the IPA servers required > and can lookup users and sudo rules and such but trusted users are not able > to login. > > Thanks > > -andy > > > > *** This communication may contain privileged and/or confidential > information. It is intended solely for the use of the addressee. If you are > not > the intended recipient, you are strictly prohibited from disclosing, copying, > distributing or using any of this information. If you received this > communication in error, please contact the sender immediately and destroy > the material in its entirety, whether electronic or hard copy. *** > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project