Questo contenuto non è disponibile nella lingua selezionata.
Chapter 55. Using the KDC Proxy in IdM
Some administrators might choose to make the default Kerberos ports inaccessible in their deployment. To allow users, hosts, and services to obtain Kerberos credentials, you can use the HTTPS
service as a proxy that communicates with Kerberos via the HTTPS
port 443.
In Identity Management (IdM), the Kerberos Key Distribution Center Proxy (KKDCP) provides this functionality.
On an IdM server, KKDCP is enabled by default and available at https://server.idm.example.com/KdcProxy
. On an IdM client, you must change its Kerberos configuration to access the KKDCP.
55.1. Configuring an IdM client to use KKDCP
As an Identity Management (IdM) system administrator, you can configure an IdM client to use the Kerberos Key Distribution Center Proxy (KKDCP) on an IdM server. This is useful if the default Kerberos ports are not accessible on the IdM server and the HTTPS
port 443 is the only way of accessing the Kerberos service.
Prerequisites
-
You have
root
access to the IdM client.
Procedure
-
Open the
/etc/krb5.conf
file for editing. In the
[realms]
section, enter the URL of the KKDCP for thekdc
,admin_server
, andkpasswd_server
options:[realms] EXAMPLE.COM = { kdc = https://kdc.example.com/KdcProxy admin_server = https://kdc.example.com/KdcProxy kpasswd_server = https://kdc.example.com/KdcProxy default_domain = example.com }
For redundancy, you can add the parameters
kdc
,admin_server
, andkpasswd_server
multiple times to indicate different KKDCP servers.Restart the
sssd
service to make the changes take effect:~]# systemctl restart sssd
55.2. Verifying that KKDCP is enabled on an IdM server
On an Identity Management (IdM) server, the Kerberos Key Distribution Center Proxy (KKDCP) is automatically enabled each time the Apache web server starts if the attribute and value pair ipaConfigString=kdcProxyEnabled
exists in the directory. In this situation, the symbolic link /etc/httpd/conf.d/ipa-kdc-proxy.conf
is created.
You can verify if the KKDCP is enabled on the IdM server, even as an unprivileged user.
Procedure
- Check that the symbolic link exists:
$ ls -l /etc/httpd/conf.d/ipa-kdc-proxy.conf
lrwxrwxrwx. 1 root root 36 Jun 21 2020 /etc/httpd/conf.d/ipa-kdc-proxy.conf -> /etc/ipa/kdcproxy/ipa-kdc-proxy.conf
The output confirms that KKDCP is enabled.
55.3. Disabling KKDCP on an IdM server
As an Identity Management (IdM) system administrator, you can disable the Kerberos Key Distribution Center Proxy (KKDCP) on an IdM server.
Prerequisites
-
You have
root
access to the IdM server.
Procedure
Remove the
ipaConfigString=kdcProxyEnabled
attribute and value pair from the directory:# ipa-ldap-updater /usr/share/ipa/kdcproxy-disable.uldif Update complete The ipa-ldap-updater command was successful
Restart the
httpd
service:# systemctl restart httpd.service
KKDCP is now disabled on the current IdM server.
Verification
Verify that the symbolic link does not exist:
$ ls -l /etc/httpd/conf.d/ipa-kdc-proxy.conf ls: cannot access '/etc/httpd/conf.d/ipa-kdc-proxy.conf': No such file or directory
55.4. Re-enabling KKDCP on an IdM server
On an IdM server, the Kerberos Key Distribution Center Proxy (KKDCP) is enabled by default and available at https://server.idm.example.com/KdcProxy
.
If KKDCP has been disabled on a server, you can re-enable it.
Prerequisites
-
You have
root
access to the IdM server.
Procedure
Add the
ipaConfigString=kdcProxyEnabled
attribute and value pair to the directory:# ipa-ldap-updater /usr/share/ipa/kdcproxy-enable.uldif Update complete The ipa-ldap-updater command was successful
Restart the
httpd
service:# systemctl restart httpd.service
KKDCP is now enabled on the current IdM server.
Verification
Verify that the symbolic link exists:
$ ls -l /etc/httpd/conf.d/ipa-kdc-proxy.conf lrwxrwxrwx. 1 root root 36 Jun 21 2020 /etc/httpd/conf.d/ipa-kdc-proxy.conf -> /etc/ipa/kdcproxy/ipa-kdc-proxy.conf
55.5. Configuring the KKDCP server I
With the following configuration, you can enable TCP to be used as the transport protocol between the IdM KKDCP and the Active Directory (AD) realm, where multiple Kerberos servers are used.
Prerequisites
-
You have
root
access.
Procedure
Set the
use_dns
parameter in the[global]
section of the/etc/ipa/kdcproxy/kdcproxy.conf
file to false.[global] use_dns = false
Put the proxied realm information into the
/etc/ipa/kdcproxy/kdcproxy.conf
file. For example, for the [AD.EXAMPLE.COM] realm with proxy list the realm configuration parameters as follows:[AD.EXAMPLE.COM] kerberos = kerberos+tcp://1.2.3.4:88 kerberos+tcp://5.6.7.8:88 kpasswd = kpasswd+tcp://1.2.3.4:464 kpasswd+tcp://5.6.7.8:464
ImportantThe realm configuration parameters must list multiple servers separated by a space, as opposed to
/etc/krb5.conf
andkdc.conf
, in which certain options may be specified multiple times.Restart Identity Management (IdM) services:
# ipactl restart
Additional resources
- Configure IPA server as a KDC Proxy for AD Kerberos communication (Red Hat Knowledgebase)
55.6. Configuring the KKDCP server II
The following server configuration relies on the DNS service records to find Active Directory (AD) servers to communicate with.
Prerequisites
-
You have
root
access.
Procedure
In the
/etc/ipa/kdcproxy/kdcproxy.conf
file, the[global]
section, set theuse_dns
parameter to true.[global] configs = mit use_dns = true
The
configs
parameter allows you to load other configuration modules. In this case, the configuration is read from the MITlibkrb5
library.Optional: In case you do not want to use DNS service records, add explicit AD servers to the
[realms]
section of the/etc/krb5.conf
file. If the realm with proxy is, for example, AD.EXAMPLE.COM, you add:[realms] AD.EXAMPLE.COM = { kdc = ad-server.ad.example.com kpasswd_server = ad-server.ad.example.com }
Restart Identity Management (IdM) services:
# ipactl restart
Additional resources
- Configure IPA server as a KDC Proxy for AD Kerberos communication (Red Hat Knowledgebase)