Excellent, Thank you for the quick response. I will look further into your suggestions
Aly On Wed, Sep 23, 2015 at 3:50 PM, Alexander Bokovoy <[email protected]> wrote: > On Wed, 23 Sep 2015, Aly Khimji wrote: > >> Hey guys, >> >> Quick question. Just running through a poc and ran into a question. >> >> I have a simple AD DC (win2k8r2 box) with a trust setup to our IPA server. >> Trust and all is setup properly and I can see users on the client/ipa >> server and on the ipa server I can ssh into it with the AD user. >> >> I am finding that users are unable to log into the "client nodes" and are >> getting a "4: System Error" failure in the ssh log. When I dig into the >> sssd in debug mode I can see its failing to find KDC for the "realm". >> Makes >> sense so far. So I enable dns_lookup_kdc = true and now it is able to find >> the realm and login is successful. >> > Correct. > > > My question is, this "dns_lookup_kdc = true" required in any setup with >> AD/IPA trust + ssh into IPA client with AD users? >> > Yes, in currently released versions you have to have that in the > krb5.conf. > > I am wondering as there may be a use case where the AD server is in another >> network and IPA clients won't have direct access to AD. I was wondering if >> there is any model in which the client only ever talks to IPA server and >> all the AD/Kerbos communication is handled via the IPA server and if so >> how >> is this done? >> > Yes, there is a way to do so with FreeIPA 4.2, by using KDC proxy > functionality. > > You can enable KDC proxy on IPA master and make sure to set manually on > each client a 'kdc' property for each AD realm to point to > https://ipa.master/KDCProxy. Then on the IPA master itself have explicit > define in krb5.conf for AD realms pointing to proper AD DCs for 'kdc' > property. > With this setup you would have all Kerberos traffic (same can be done > with kadmin protocol too, I think) redirected via IPA masters to AD DCs. > > You need to have fairly recent MIT Kerberos library for that, though. > RHEL7 should be OK. I haven't checked latest MIT krb5 backports in > RHEL6, though. > > I have read a bit and this looks as though what I am doing here is a >> "legacy" setup. Just wondering if this is different in sssd 1.9 or if kdc >> = >> True is always required. >> >> I am not doing anything extra on the client other then the ipa-client >> install. >> No manual adjustment of sssd.conf or krb5.conf. If I am missing something >> please advise. >> > ipa-client-install sets 'dns_lookup_kdc = true' by default if your DNS > discovery of KDC was successful and no '--force' option was specified. > > > -- > / Alexander Bokovoy >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
