tiran/proxykdc.md

## proxykdc.md

      
    Raw
  

              proxykdc.md
            
          
    On each IPA server (server.ipa.example)


Apply patch https://github.com/freeipa/freeipa/pull/5496/files (https://pagure.io/freeipa/issue/8686). on RHEL it's in /usr/lib/python3.6/site-packages/ipaserver/plugins/cert.py
systemctl restart httpd.service to reload server code with patch
ipa host-add proxy.ipa.example --force
ipa host-add-managedby proxy.ipa.example --hosts=server.ipa.example
Create /tmp/fake-kdc.update (replace proxy.ipa.example with your actual proxy name three times)
Create fake KDC entry in masters configuration ipa-ldap-updater fake-kdc.update
systemctl restart httpd.service
request new KDC cert for server's and proxy's DNS name: ipa-getcert resubmit --wait -f /var/kerberos/krb5kdc/kdc.crt -D proxy.ipa.example -D server.ipa.example
Wait until ipa-getcert list -f /var/kerberos/krb5kdc/kdc.crt shows the cert request is finished and "dns:" shows both hostnames
ipactl restart

fake-kdc.update

dn: cn=proxy.ipa.example,cn=masters,cn=ipa,cn=etc,$SUFFIX
default: objectclass: top
default: objectclass: nsContainer
default: objectclass: ipaReplTopoManagedServer
default: objectClass: ipaConfigObject
default: objectClass: ipaSupportedDomainLevelConfig
default: cn: proxy.ipa.example
default: ipaMinDomainLevel: $MIN_DOMAIN_LEVEL
default: ipaMaxDomainLevel: $MAX_DOMAIN_LEVEL

dn: cn=KDC,cn=proxy.ipa.example,cn=masters,cn=ipa,cn=etc,$SUFFIX
default: objectClass: ipaConfigObject
default: objectClass: nsContainer
default: objectClass: top
default: cn: KDC
default: ipaConfigString: configuredService

On each client


download CA cert from IPA server to /etc/pki/krb5/ipa.example.pem
create /etc/krb5.conf.d/ipa_example

[realms]
 IPA.EXAMPLE = {
        kdc = https://proxy.ipa.example/KdcProxy
        pkinit_anchors = FILE:/etc/pki/krb5/ipa.example.pem
        pkinit_pool = FILE:/etc/pki/krb5/ipa.example.pem
 }