> -----Original Message----- > From: Baird, Josh [mailto:[email protected]] > Sent: Tuesday, February 2, 2016 9:13 AM > To: Andy Thompson <[email protected]>; freeipa- > [email protected] > Subject: RE: freeipa client in DMZ > > I believe the sssd clients will need to communicate directly with your AD > domain controllers, unfortunately. I wish there was a clean way around this, > since we have a ton of DC's in our HUB site, and I don't really want to poke > holes in the firewall(s) for all of them. > > Would someone from sssd/IPA mind chiming in here? What exactly needs to > be open? What DNS record can we query to get the exact list of DC's that > need to be available? Is there a way to restrict the list of domain > controllers > that certain sssd clients need to communicate with (for scenarios like this)? > > Thanks, > > Josh > > > -----Original Message----- > > From: [email protected] [mailto:freeipa-users- > > [email protected]] On Behalf Of Andy Thompson > > Sent: Tuesday, February 02, 2016 9:04 AM > > To: [email protected] > > Subject: [Freeipa-users] freeipa client in DMZ > > > > Are ports required to be open for a freeipa client in a DMZ to the AD > > DCs for trusted users to login? I've got everything open to the IPA > > servers required and can lookup users and sudo rules and such but > > trusted users are not able to login. > > > > Thanks > > > > -andy > > > >
Going through my firewall logs it appears kerberos needs opened to the DCs at a minimum although I dropped 464 in there as well. Once I opened that up I was able to authenticate I'm not much of an AD guy so I don't know if there is a way to limit the servers accessed within AD. In my environment I had to setup separate DNS servers for the AD domain due to the environment setup so I could control it that way by removing DC records from that DNS environment. My thought is that it relies on the _kerberos._tcp srv records -andy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
