Hi,<br><br>I got it working!!!!!!, I turned off windows firewall, synced all the servers to a common ntp server!!!, it simply got added.<br><br>But, in windows stll we need to create a local user with local privileges to map the kerberos principle....<br>
<br>I could also see that ipa server alrday have the samba schema in the directory server, can we follow the below documentation to get it working as a PDC with IPA backend.<br><br><a href="http://directory.fedoraproject.org/wiki/Howto:Samba">http://directory.fedoraproject.org/wiki/Howto:Samba</a><br>
<br>Thank you so much for all of your suggestions and support.<br><br>Thanks & Reagrds<br><br>Viji<br><br><br><br><div class="gmail_quote">On Sun, Jan 4, 2009 at 12:05 AM, Kozlov <span dir="ltr"><<a href="mailto:mackoel@gmail.com">mackoel@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Hi,<br>
<br>
Puzzling...<br>
<br>
Did you try to put ipaserver and winxp box in /etc/hosts on both client and server?<br>
<br>
can you kinit from winxp?<div class="Ih2E3d"><br>
<br>
Best regards,<br>
<br>
Kostya<br>
<br>
Viji V Nair пишет:<br>
</div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Hi,<br>
<br><div class="Ih2E3d">
I did the same, still having the same problem. I know that samba is not needed for windowsxp to authenticate to freeIPA, as I said kerberos was not working for me (still trying on it with fresh windows client installation), so I have done a try with samba (removed samba and did a fresh IPA installation). Here are the exact steps I have followed.<br>
<br>
On the IPA Server.<br>
<br>
1. Added host principal and set the password for the xp client<br>
<br></div>
# ipa-addservice host/<a href="http://bmdata01.testing.com" target="_blank">bmdata01.testing.com</a> <<a href="http://bmdata01.testing.com" target="_blank">http://bmdata01.testing.com</a>><br>
# ipa-getkeytab -s <a href="http://viji.testing.com" target="_blank">viji.testing.com</a> <<a href="http://viji.testing.com" target="_blank">http://viji.testing.com</a>> -p host/<a href="http://bmdata01.testing.com" target="_blank">bmdata01.testing.com</a> <<a href="http://bmdata01.testing.com" target="_blank">http://bmdata01.testing.com</a>> -e des-cbc-crc -k krb5.keytab.txt -P (asked for the password)<div class="Ih2E3d">
<br>
<br>
2. On the Client (Windows XP)<br>
<br>
a. Installed MIT kerberos windows client<br>
<br>
b. Created a user called ipauser<br>
<br>
c. Configured kerberos<br>
<br></div>
C:> ksetup /setrealm <a href="http://TESTING.COM" target="_blank">TESTING.COM</a> <<a href="http://TESTING.COM" target="_blank">http://TESTING.COM</a>><br>
C:> ksetup /addkdc <a href="http://TESTING.COM" target="_blank">TESTING.COM</a> <<a href="http://TESTING.COM" target="_blank">http://TESTING.COM</a>> <a href="http://viji.testing.com" target="_blank">viji.testing.com</a> <<a href="http://viji.testing.com" target="_blank">http://viji.testing.com</a>><div class="Ih2E3d">
<br>
C:> ksetup /setmachpassword <password><br>
C:> ksetup /mapuser * ipauser<br>
<br></div>
d. Rebooted the machine, after the reboot windows is showing "<a href="http://TESTING.COM" target="_blank">TESTING.COM</a> <<a href="http://TESTING.COM" target="_blank">http://TESTING.COM</a>> (Kerberos Realm)" in the login screen, but when I enter a valid ipa user name it is throwing the following error.<div class="Ih2E3d">
<br>
<br>
"The system could not log you on. Make sure your user name and domain are correct, and then type your password again. Letters in passwords must be typed using the correct case."<br>
<br>
But the kerberos server issuing the tickets, I could see this in logs. Dont know what happened, hope I did something wrong, but not getting what went wrong and where. Your suggestions are greatly appreciated.<br>
<br>
Thanks<br>
Viji<br>
<br>
<br></div><div><div></div><div class="Wj3C7c">
On Fri, Jan 2, 2009 at 12:05 AM, Kozlov <<a href="mailto:mackoel@gmail.com" target="_blank">mackoel@gmail.com</a> <mailto:<a href="mailto:mackoel@gmail.com" target="_blank">mackoel@gmail.com</a>>> wrote:<br>
<br>
Hi,<br>
<br>
I know this document and had set up samba3 that way.<br>
<br>
The problem is samba3 can't use kerberos from winxp. No way for now.<br>
<br>
Samba4 is in alpha stage, it uses ADS schema in LDAP and can't<br>
work with FreeIPA.<br>
<br>
Samba is not needed for winxp to authenticate in freeipa.<br>
<br>
So if you need to authenticate winxp users in freeipa try to<br>
follow the steps for setting up kerberos on winxp.<br>
<br>
Did you try the ipa-getkeytab with -e and -P?<br>
<br>
winxp needs that enctype and password to work with freeipa. And it<br>
worked for me and some people on this list.<br>
<br>
<br>
Best regards,<br>
<br>
Kostya<br>
<br>
Viji V Nair пишет:<br>
<br>
Hi,<br>
<br>
Yes, my goal is to setup an Active Directory substitution, but<br>
not looking for a complete AD replacement. I really don't want<br>
to use windows active directory. In my organization around 60%<br>
of the users are using Linux as their desktop, remaining 40%<br>
is on windows XP SP3.<br>
<br>
I want to setup single sign on using free IPA, I found the<br>
attached document on the internet, so I tried to setup samba<br>
as a client to freeIPA and autheticate windows clients to<br>
samba and samba to freeIPA. (I tried this because I was<br>
struggling with windows to authenticate to the kerberos)<br>
<br>
Please have a look at the attached document, I will try your<br>
suggestions and post the results.<br>
<br>
Wishing you all a Happy and peaceful NEW YEAR.<br>
<br>
Thanks & Regards<br>
Viji<br>
<br>
On Wed, Dec 31, 2008 at 9:22 PM, Kozlov <<a href="mailto:mackoel@gmail.com" target="_blank">mackoel@gmail.com</a><br></div></div><div class="Ih2E3d">
<mailto:<a href="mailto:mackoel@gmail.com" target="_blank">mackoel@gmail.com</a>> <mailto:<a href="mailto:mackoel@gmail.com" target="_blank">mackoel@gmail.com</a><br>
<mailto:<a href="mailto:mackoel@gmail.com" target="_blank">mackoel@gmail.com</a>>>> wrote:<br>
<br>
Hi,<br>
<br></div><div><div></div><div class="Wj3C7c">
I saw your posts on samba list :)<br>
Is your goal to make the Active Directory substitution?<br>
<br>
Samba3 + FreeIPA won't work that way. Look for explanations on<br>
freeipa-users list. You either need Samba4 or no kerberos<br>
on Windows.<br>
<br>
However, samba3 can be used with FreeIPA as File Sharing<br>
solution<br>
and will use Single Sign On when you'll managed to setup<br>
winxp for<br>
IPA.<br>
<br>
<br>
Best regards and Happy New Year!<br>
<br>
Kostya<br>
<br>
Viji V Nair пишет:<br>
> Hi,<br>
><br>
> I have setup samba as a PDC with kerberos and ldap. While<br>
adding<br>
the windows<br>
> clients I get the following error message on the logs, and<br>
windows says the<br>
> user name and password is incorrect<br>
><br>
> [2008/12/31 19:00:09, 0] lib/util_sock.c:write_data(1059)<br>
> [2008/12/31 19:00:09, 0]<br>
lib/util_sock.c:get_peer_addr_internal(1607)<br>
> getpeername failed. Error was Transport endpoint is not<br>
connected<br>
> write_data: write failure in writing to client 0.0.0.0.<br>
Error<br>
Connection<br>
> reset by peer<br>
> [2008/12/31 19:00:09, 0] smbd/process.c:srv_send_smb(74)<br>
> Error writing 4 bytes to client. -1. (Transport endpoint is<br>
not connected)<br>
><br>
> Any help on the same will be gratly appreciated.<br>
><br>
> # rpm -qa |grep samba<br>
> samba-client-3.2.5-0.23.fc10.x86_64<br>
> samba-common-3.2.5-0.23.fc10.x86_64<br>
> samba-3.2.5-0.23.fc10.x86_64<br>
> samba-winbind-3.2.5-0.23.fc10.x86_64<br>
><br>
> # uname -a<br>
> Linux <a href="http://viji.testing.com" target="_blank">viji.testing.com</a> <<a href="http://viji.testing.com" target="_blank">http://viji.testing.com</a>><br>
<<a href="http://viji.testing.com" target="_blank">http://viji.testing.com</a>><br>
<br>
2.6.27.7-134.fc10.x86_64 #1 SMP Mon Dec 1 22:21:35<br>
> EST 2008 x86_64 x86_64 x86_64 GNU/Linux<br>
><br>
> # cat /etc/samba/smb.conf<br>
> [global]<br>
> workgroup = <a href="http://TESTING.COM" target="_blank">TESTING.COM</a><br></div></div>
<<a href="http://TESTING.COM" target="_blank">http://TESTING.COM</a>> <<a href="http://TESTING.COM" target="_blank">http://TESTING.COM</a>><div class="Ih2E3d"><br>
<br>
> server string = Samba Server Version %v<br>
> security = user<br>
> passdb backend = smbpasswd<br>
> socket options = TCP_NODELAY SO_RCVBUF=8192<br>
SO_SNDBUF=8192<br>
> os level = 33<br>
> domain logons = yes<br>
> domain master = yes<br>
> local master = yes<br>
> preferred master = yes<br>
> wins support = yes<br>
> template shell = /bin/false<br>
> realm = <a href="http://TESTING.COM" target="_blank">TESTING.COM</a><br></div>
<<a href="http://TESTING.COM" target="_blank">http://TESTING.COM</a>> <<a href="http://TESTING.COM" target="_blank">http://TESTING.COM</a>><div><div></div><div class="Wj3C7c"><br>
<br>
> use kerberos keytab = yes<br>
> load printers = yes<br>
> cups options = raw<br>
> # log level = 3 passdb:5 auth:10<br>
> [homes]<br>
> comment = Home Directories<br>
> browseable = no<br>
> writable = yes<br>
> [printers]<br>
> comment = All Printers<br>
> path = /var/spool/samba<br>
> browseable = no<br>
> guest ok = no<br>
> writable = no<br>
> printable = yes<br>
> [share]<br>
> comment = Share<br>
> path = /share<br>
> browseable = yes<br>
> guest ok = no<br>
> writable = yes<br>
> valid users = admin<br>
><br>
> Thanks<br>
> Viji<br>
<br>
<br>
<br>
Viji V Nair пишет:<br>
<br>
Hi,<br>
<br>
I have done the modifications as suggested, but no luck,<br>
getting the same error.<br>
<br>
# kinit admin<br>
# ipa-addservice host/<a href="http://bmdata01.testing.com" target="_blank">bmdata01.testing.com</a><br>
<<a href="http://bmdata01.testing.com" target="_blank">http://bmdata01.testing.com</a>><br>
<<a href="http://bmdata01.testing.com" target="_blank">http://bmdata01.testing.com</a>><br>
<<a href="http://bmdata01.testing.com" target="_blank">http://bmdata01.testing.com</a>><br>
<br>
# ipa-getkeytab -s <a href="http://viji.testing.com" target="_blank">viji.testing.com</a><br>
<<a href="http://viji.testing.com" target="_blank">http://viji.testing.com</a>> <<a href="http://viji.testing.com" target="_blank">http://viji.testing.com</a>><br>
<<a href="http://viji.testing.com" target="_blank">http://viji.testing.com</a>> -p host/<a href="http://bmdata01.testing.com" target="_blank">bmdata01.testing.com</a><br>
<<a href="http://bmdata01.testing.com" target="_blank">http://bmdata01.testing.com</a>><br>
<<a href="http://bmdata01.testing.com" target="_blank">http://bmdata01.testing.com</a>><br>
<<a href="http://bmdata01.testing.com" target="_blank">http://bmdata01.testing.com</a>> -k<br>
<br>
/etc/krb5.keytab<br>
<br>
<br>
Could you please elaborate the steps which you have done to<br>
get it working on both the client and server side?<br>
<br>
Thanks<br>
Viji<br>
<br>
On Tue, Dec 30, 2008 at 11:46 PM, Kozlov<br>
<<a href="mailto:mackoel@gmail.com" target="_blank">mackoel@gmail.com</a> <mailto:<a href="mailto:mackoel@gmail.com" target="_blank">mackoel@gmail.com</a>><br>
<mailto:<a href="mailto:mackoel@gmail.com" target="_blank">mackoel@gmail.com</a> <mailto:<a href="mailto:mackoel@gmail.com" target="_blank">mackoel@gmail.com</a>>><br>
<mailto:<a href="mailto:mackoel@gmail.com" target="_blank">mackoel@gmail.com</a> <mailto:<a href="mailto:mackoel@gmail.com" target="_blank">mackoel@gmail.com</a>><br>
<br></div></div>
<mailto:<a href="mailto:mackoel@gmail.com" target="_blank">mackoel@gmail.com</a> <mailto:<a href="mailto:mackoel@gmail.com" target="_blank">mackoel@gmail.com</a>>>>><div><div></div><div class="Wj3C7c">
<br>
wrote:<br>
<br>
Hi,<br>
<br>
The minor comment is that kadmin is supposed to be<br>
substituted with<br>
ipa-addservice.<br>
<br>
The major comment is that you've missed ipa-getkeytab on<br>
ipaserver<br>
that actually SETS password that you then install on<br>
winxp.<br>
<br>
And try to map all users to one: for example,<br>
"* Administrator".<br>
<br>
Best regards,<br>
<br>
Kostya<br>
<br>
Viji V Nair пишет:<br>
<br>
Hi,<br>
<br>
Thank you for the information, I have tried all<br>
these<br>
steps, but<br>
no success<br>
<br>
1. On the IPA Server I have created a host principal<br>
using the<br>
following command.<br>
<br>
# kadmin -q "ank host/<a href="http://bmdata01.testing.com" target="_blank">bmdata01.testing.com</a><br>
<<a href="http://bmdata01.testing.com" target="_blank">http://bmdata01.testing.com</a>><br>
<<a href="http://bmdata01.testing.com" target="_blank">http://bmdata01.testing.com</a>><br>
<<a href="http://bmdata01.testing.com" target="_blank">http://bmdata01.testing.com</a>><br>
<<a href="http://bmdata01.testing.com" target="_blank">http://bmdata01.testing.com</a>>"<br>
<br>
<br>
<br>
2. On the windows xp client<br>
<br>
C:> ksetup /setrealm <a href="http://TESTING.COM" target="_blank">TESTING.COM</a><br>
<<a href="http://TESTING.COM" target="_blank">http://TESTING.COM</a>> <<a href="http://TESTING.COM" target="_blank">http://TESTING.COM</a>><br>
<<a href="http://TESTING.COM" target="_blank">http://TESTING.COM</a>><br>
<<a href="http://TESTING.COM" target="_blank">http://TESTING.COM</a>><br>
C:> ksetup /addkdc <a href="http://TESTING.COM" target="_blank">TESTING.COM</a><br>
<<a href="http://TESTING.COM" target="_blank">http://TESTING.COM</a>> <<a href="http://TESTING.COM" target="_blank">http://TESTING.COM</a>><br>
<<a href="http://TESTING.COM" target="_blank">http://TESTING.COM</a>><br>
<<a href="http://TESTING.COM" target="_blank">http://TESTING.COM</a>> <a href="http://viji.bigmaps.com" target="_blank">viji.bigmaps.com</a><br>
<<a href="http://viji.bigmaps.com" target="_blank">http://viji.bigmaps.com</a>><br>
<<a href="http://viji.bigmaps.com" target="_blank">http://viji.bigmaps.com</a>> <<a href="http://viji.bigmaps.com" target="_blank">http://viji.bigmaps.com</a>><br>
<<a href="http://viji.bigmaps.com" target="_blank">http://viji.bigmaps.com</a>><br>
C:> ksetup /setmachpassword <password><br>
C:> ksetup /mapuser <a href="mailto:admin@TESTING.COM" target="_blank">admin@TESTING.COM</a><br>
<mailto:<a href="mailto:admin@TESTING.COM" target="_blank">admin@TESTING.COM</a>><br>
<mailto:<a href="mailto:admin@TESTING.COM" target="_blank">admin@TESTING.COM</a> <mailto:<a href="mailto:admin@TESTING.COM" target="_blank">admin@TESTING.COM</a>>><br>
<mailto:<a href="mailto:admin@TESTING.COM" target="_blank">admin@TESTING.COM</a> <mailto:<a href="mailto:admin@TESTING.COM" target="_blank">admin@TESTING.COM</a>><br>
<mailto:<a href="mailto:admin@TESTING.COM" target="_blank">admin@TESTING.COM</a> <mailto:<a href="mailto:admin@TESTING.COM" target="_blank">admin@TESTING.COM</a>>>><br>
<mailto:<a href="mailto:admin@TESTING.COM" target="_blank">admin@TESTING.COM</a><br>
<mailto:<a href="mailto:admin@TESTING.COM" target="_blank">admin@TESTING.COM</a>> <mailto:<a href="mailto:admin@TESTING.COM" target="_blank">admin@TESTING.COM</a><br>
<mailto:<a href="mailto:admin@TESTING.COM" target="_blank">admin@TESTING.COM</a>>><br>
<mailto:<a href="mailto:admin@TESTING.COM" target="_blank">admin@TESTING.COM</a> <mailto:<a href="mailto:admin@TESTING.COM" target="_blank">admin@TESTING.COM</a>><br>
<mailto:<a href="mailto:admin@TESTING.COM" target="_blank">admin@TESTING.COM</a> <mailto:<a href="mailto:admin@TESTING.COM" target="_blank">admin@TESTING.COM</a>>>>> guest<br>
<br>
C:> ksetup /mapuser * *<br>
<br>
After the above setup windows is showing<br>
<a href="http://TESTING.COM" target="_blank">TESTING.COM</a> <<a href="http://TESTING.COM" target="_blank">http://TESTING.COM</a>><br>
<<a href="http://TESTING.COM" target="_blank">http://TESTING.COM</a>><br>
<<a href="http://TESTING.COM" target="_blank">http://TESTING.COM</a>> <<a href="http://TESTING.COM" target="_blank">http://TESTING.COM</a>> as a<br>
Kerberos<br>
Realm on<br>
<br>
the login screen, but when I try to login using the<br>
user name<br>
"admin" it is throwing the following error.<br>
<br>
<br>
"The system could not log you on. Make sure your<br>
user<br>
name and<br>
domain are correct, and then type your password<br>
again.<br>
Letters<br>
in passwords must be typed using the correct case."<br>
<br>
But the IPA (kerberos) server is issuing the<br>
tickets,<br>
the log shows:<br>
<br>
Dec 30 22:36:03 <a href="http://viji.testing.com" target="_blank">viji.testing.com</a><br>
<<a href="http://viji.testing.com" target="_blank">http://viji.testing.com</a>><br>
<<a href="http://viji.testing.com" target="_blank">http://viji.testing.com</a>> <<a href="http://viji.testing.com" target="_blank">http://viji.testing.com</a>><br>
<<a href="http://viji.testing.com" target="_blank">http://viji.testing.com</a>> krb5kdc[5179](info):<br>
AS_REQ<br>
(7 etypes<br>
{23 -133 -128 3 1 24 -135}) 172.16.33.112<br>
<<a href="http://172.16.33.112" target="_blank">http://172.16.33.112</a>>: NEEDED_PREAUTH:<br>
<a href="mailto:admin@TESTING.COM" target="_blank">admin@TESTING.COM</a> <mailto:<a href="mailto:admin@TESTING.COM" target="_blank">admin@TESTING.COM</a>><br>
<mailto:<a href="mailto:admin@TESTING.COM" target="_blank">admin@TESTING.COM</a> <mailto:<a href="mailto:admin@TESTING.COM" target="_blank">admin@TESTING.COM</a>>><br>
<mailto:<a href="mailto:admin@TESTING.COM" target="_blank">admin@TESTING.COM</a><br>
<mailto:<a href="mailto:admin@TESTING.COM" target="_blank">admin@TESTING.COM</a>> <mailto:<a href="mailto:admin@TESTING.COM" target="_blank">admin@TESTING.COM</a><br>
<mailto:<a href="mailto:admin@TESTING.COM" target="_blank">admin@TESTING.COM</a>>>><br>
<mailto:<a href="mailto:admin@TESTING.COM" target="_blank">admin@TESTING.COM</a> <mailto:<a href="mailto:admin@TESTING.COM" target="_blank">admin@TESTING.COM</a>><br>
<mailto:<a href="mailto:admin@TESTING.COM" target="_blank">admin@TESTING.COM</a> <mailto:<a href="mailto:admin@TESTING.COM" target="_blank">admin@TESTING.COM</a>>><br>
<br>
<mailto:<a href="mailto:admin@TESTING.COM" target="_blank">admin@TESTING.COM</a><br>
<mailto:<a href="mailto:admin@TESTING.COM" target="_blank">admin@TESTING.COM</a>> <mailto:<a href="mailto:admin@TESTING.COM" target="_blank">admin@TESTING.COM</a><br></div></div><div class="Ih2E3d">
<mailto:<a href="mailto:admin@TESTING.COM" target="_blank">admin@TESTING.COM</a>>>>><br>
<br>
for krbtgt/<a href="http://TESTING.COM" target="_blank">TESTING.COM</a> <<a href="http://TESTING.COM" target="_blank">http://TESTING.COM</a>><br>
<<a href="http://TESTING.COM" target="_blank">http://TESTING.COM</a>><br>
<<a href="http://TESTING.COM" target="_blank">http://TESTING.COM</a>><br>
<<a href="http://TESTING.COM" target="_blank">http://TESTING.COM</a>>@<a href="http://TESTING.COM" target="_blank">TESTING.COM</a> <<a href="http://TESTING.COM" target="_blank">http://TESTING.COM</a>><br>
<<a href="http://TESTING.COM" target="_blank">http://TESTING.COM</a>><br>
<<a href="http://TESTING.COM" target="_blank">http://TESTING.COM</a>> <<a href="http://TESTING.COM" target="_blank">http://TESTING.COM</a>>,<br>
Additional<br>
<br>
pre-authentication required<br>
Dec 30 22:36:03 <a href="http://viji.testing.com" target="_blank">viji.testing.com</a><br>
<<a href="http://viji.testing.com" target="_blank">http://viji.testing.com</a>><br>
<<a href="http://viji.testing.com" target="_blank">http://viji.testing.com</a>> <<a href="http://viji.testing.com" target="_blank">http://viji.testing.com</a>><br>
<<a href="http://viji.testing.com" target="_blank">http://viji.testing.com</a>> krb5kdc[5179](info):<br>
AS_REQ<br>
(3 etypes<br>
{23 3 1}) 172.16.33.112 <<a href="http://172.16.33.112" target="_blank">http://172.16.33.112</a>>:<br>
ISSUE:<br>
authtime<br>
1230656763, etypes {rep=23 tkt=18 ses=23},<br>
<a href="mailto:admin@TESTING.COM" target="_blank">admin@TESTING.COM</a> <mailto:<a href="mailto:admin@TESTING.COM" target="_blank">admin@TESTING.COM</a>><br>
<mailto:<a href="mailto:admin@TESTING.COM" target="_blank">admin@TESTING.COM</a> <mailto:<a href="mailto:admin@TESTING.COM" target="_blank">admin@TESTING.COM</a>>><br>
<mailto:<a href="mailto:admin@TESTING.COM" target="_blank">admin@TESTING.COM</a><br>
<mailto:<a href="mailto:admin@TESTING.COM" target="_blank">admin@TESTING.COM</a>> <mailto:<a href="mailto:admin@TESTING.COM" target="_blank">admin@TESTING.COM</a><br>
<mailto:<a href="mailto:admin@TESTING.COM" target="_blank">admin@TESTING.COM</a>>>><br></div><div class="Ih2E3d">
<mailto:<a href="mailto:admin@TESTING.COM" target="_blank">admin@TESTING.COM</a> <mailto:<a href="mailto:admin@TESTING.COM" target="_blank">admin@TESTING.COM</a>><br>
<mailto:<a href="mailto:admin@TESTING.COM" target="_blank">admin@TESTING.COM</a> <mailto:<a href="mailto:admin@TESTING.COM" target="_blank">admin@TESTING.COM</a>>><br>
<br>
<mailto:<a href="mailto:admin@TESTING.COM" target="_blank">admin@TESTING.COM</a><br>
<mailto:<a href="mailto:admin@TESTING.COM" target="_blank">admin@TESTING.COM</a>> <mailto:<a href="mailto:admin@TESTING.COM" target="_blank">admin@TESTING.COM</a><br></div><div class="Ih2E3d">
<mailto:<a href="mailto:admin@TESTING.COM" target="_blank">admin@TESTING.COM</a>>>>><br>
<br>
for krbtgt/<a href="http://TESTING.COM" target="_blank">TESTING.COM</a> <<a href="http://TESTING.COM" target="_blank">http://TESTING.COM</a>><br>
<<a href="http://TESTING.COM" target="_blank">http://TESTING.COM</a>><br>
<<a href="http://TESTING.COM" target="_blank">http://TESTING.COM</a>><br>
<<a href="http://TESTING.COM" target="_blank">http://TESTING.COM</a>>@<a href="http://TESTING.COM" target="_blank">TESTING.COM</a> <<a href="http://TESTING.COM" target="_blank">http://TESTING.COM</a>><br>
<<a href="http://TESTING.COM" target="_blank">http://TESTING.COM</a>><br></div><div class="Ih2E3d">
<<a href="http://TESTING.COM" target="_blank">http://TESTING.COM</a>> <<a href="http://TESTING.COM" target="_blank">http://TESTING.COM</a>><br>
<br>
Dec 30 22:36:03 <a href="http://viji.testing.com" target="_blank">viji.testing.com</a><br>
<<a href="http://viji.testing.com" target="_blank">http://viji.testing.com</a>><br>
<<a href="http://viji.testing.com" target="_blank">http://viji.testing.com</a>> <<a href="http://viji.testing.com" target="_blank">http://viji.testing.com</a>><br>
<<a href="http://viji.testing.com" target="_blank">http://viji.testing.com</a>> krb5kdc[5179](info):<br>
TGS_REQ<br>
(7 etypes<br>
{23 -133 -128 3 1 24 -135}) 172.16.33.112<br>
<<a href="http://172.16.33.112" target="_blank">http://172.16.33.112</a>>: ISSUE: authtime<br>
1230656763, etypes<br>
{rep=23 tkt=18 ses=23}, <a href="mailto:admin@TESTING.COM" target="_blank">admin@TESTING.COM</a><br>
<mailto:<a href="mailto:admin@TESTING.COM" target="_blank">admin@TESTING.COM</a>><br>
<mailto:<a href="mailto:admin@TESTING.COM" target="_blank">admin@TESTING.COM</a> <mailto:<a href="mailto:admin@TESTING.COM" target="_blank">admin@TESTING.COM</a>>><br>
<mailto:<a href="mailto:admin@TESTING.COM" target="_blank">admin@TESTING.COM</a><br>
<mailto:<a href="mailto:admin@TESTING.COM" target="_blank">admin@TESTING.COM</a>> <mailto:<a href="mailto:admin@TESTING.COM" target="_blank">admin@TESTING.COM</a><br>
<mailto:<a href="mailto:admin@TESTING.COM" target="_blank">admin@TESTING.COM</a>>>><br></div><div class="Ih2E3d">
<mailto:<a href="mailto:admin@TESTING.COM" target="_blank">admin@TESTING.COM</a> <mailto:<a href="mailto:admin@TESTING.COM" target="_blank">admin@TESTING.COM</a>><br>
<mailto:<a href="mailto:admin@TESTING.COM" target="_blank">admin@TESTING.COM</a> <mailto:<a href="mailto:admin@TESTING.COM" target="_blank">admin@TESTING.COM</a>>><br>
<br>
<mailto:<a href="mailto:admin@TESTING.COM" target="_blank">admin@TESTING.COM</a><br>
<mailto:<a href="mailto:admin@TESTING.COM" target="_blank">admin@TESTING.COM</a>> <mailto:<a href="mailto:admin@TESTING.COM" target="_blank">admin@TESTING.COM</a><br></div><div><div></div><div class="Wj3C7c">
<mailto:<a href="mailto:admin@TESTING.COM" target="_blank">admin@TESTING.COM</a>>>>><br>
<br>
for host/<a href="http://bmdata01.testing.com" target="_blank">bmdata01.testing.com</a><br>
<<a href="http://bmdata01.testing.com" target="_blank">http://bmdata01.testing.com</a>> <<a href="http://bmdata01.testing.com" target="_blank">http://bmdata01.testing.com</a>><br>
<<a href="http://bmdata01.testing.com" target="_blank">http://bmdata01.testing.com</a>><br>
<<a href="http://bmdata01.testing.com" target="_blank">http://bmdata01.testing.com</a>>@<a href="http://TESTING.COM" target="_blank">TESTING.COM</a><br>
<<a href="http://TESTING.COM" target="_blank">http://TESTING.COM</a>><br>
<<a href="http://TESTING.COM" target="_blank">http://TESTING.COM</a>> <<a href="http://TESTING.COM" target="_blank">http://TESTING.COM</a>><br>
<<a href="http://TESTING.COM" target="_blank">http://TESTING.COM</a>><br>
<br>
<br>
I have found some article on Microsoft website,<br>
saying<br>
this is a<br>
bug and apply the latest service pack (SP3), I even<br>
tried that,<br>
but no success.<br>
<br>
<a href="http://support.microsoft.com/kb/825081" target="_blank">http://support.microsoft.com/kb/825081</a><br>
<br>
Similar Thread:<br>
<a href="http://mailman.mit.edu/pipermail/kerberos/2006-May/009890.html" target="_blank">http://mailman.mit.edu/pipermail/kerberos/2006-May/009890.html</a><br>
<br>
Thanks & Regards<br>
<br>
Viji<br>
<br>
<br>
On Mon, Dec 29, 2008 at 6:35 PM, Konstantin Kozlov<br>
<<a href="mailto:kozlov@spbcas.ru" target="_blank">kozlov@spbcas.ru</a> <mailto:<a href="mailto:kozlov@spbcas.ru" target="_blank">kozlov@spbcas.ru</a>><br>
<mailto:<a href="mailto:kozlov@spbcas.ru" target="_blank">kozlov@spbcas.ru</a> <mailto:<a href="mailto:kozlov@spbcas.ru" target="_blank">kozlov@spbcas.ru</a>>><br>
<mailto:<a href="mailto:kozlov@spbcas.ru" target="_blank">kozlov@spbcas.ru</a> <mailto:<a href="mailto:kozlov@spbcas.ru" target="_blank">kozlov@spbcas.ru</a>><br>
<mailto:<a href="mailto:kozlov@spbcas.ru" target="_blank">kozlov@spbcas.ru</a> <mailto:<a href="mailto:kozlov@spbcas.ru" target="_blank">kozlov@spbcas.ru</a>>>><br>
<mailto:<a href="mailto:kozlov@spbcas.ru" target="_blank">kozlov@spbcas.ru</a><br>
<mailto:<a href="mailto:kozlov@spbcas.ru" target="_blank">kozlov@spbcas.ru</a>> <mailto:<a href="mailto:kozlov@spbcas.ru" target="_blank">kozlov@spbcas.ru</a><br>
<mailto:<a href="mailto:kozlov@spbcas.ru" target="_blank">kozlov@spbcas.ru</a>>><br>
<mailto:<a href="mailto:kozlov@spbcas.ru" target="_blank">kozlov@spbcas.ru</a> <mailto:<a href="mailto:kozlov@spbcas.ru" target="_blank">kozlov@spbcas.ru</a>><br>
<mailto:<a href="mailto:kozlov@spbcas.ru" target="_blank">kozlov@spbcas.ru</a> <mailto:<a href="mailto:kozlov@spbcas.ru" target="_blank">kozlov@spbcas.ru</a>>>>>> wrote:<br>
<br>
Hi,<br>
<br>
You can search the list for a similar thread and<br>
here are the<br>
steps<br>
I've followed with success:<br>
<br>
Add host principal for winxp machine with the<br>
encoding<br>
des-cbc-crc<br>
and passowrd (-P ioption for ipa-getkeytab).<br>
Do not<br>
store this<br>
keytab in /etc/krb5.keytab but rather in some<br>
other<br>
file.<br>
<br>
Install MS Support Tools on WinXP, and run<br>
<br>
ksetup /setdomain ...<br>
ksetup /addkdc ...<br>
ksetup /setcomputerpassword ...<br>
ksetup /mapuser * <your user><br>
<br>
WinXP machine asks to login to Kerberos realm at<br>
login screen.<br>
<br>
I failed to map one ipa-user to one win-user.<br>
But may be<br>
because I<br>
didn't have enough time. If you will succeed<br>
- leave<br>
a note<br>
here please.<br>
<br>
Best regards,<br>
<br>
Kostya<br>
<br>
Viji V Nair wrote:<br>
<br>
Hi,<br>
<br>
I am a new user of free-ipa, I have installed<br>
the free-ipa<br>
packages shipped with fedora 10. I have more<br>
that 100 windows<br>
clients to authenticate. Here is my problem,<br>
<br>
All the clients are XP SP2, I have<br>
installed MIT<br>
Kerberos for<br>
Windows 3.2.2. Always the native windows<br>
login<br>
prompt appears<br>
first, when i login to windows the kerberos<br>
client is<br>
asking for<br>
authentication.<br>
<br>
I want to replace this windows authentication<br>
with kerberos<br>
<br>
Any help on the same will be greatly<br>
appreciated.<br>
<br>
Thanks<br>
Viji<br>
<br>
<br>
------------------------------------------------------------------------<br>
<br>
_______________________________________________<br>
Freeipa-users mailing list<br>
<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a><br>
<mailto:<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a>><br>
<mailto:<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a><br>
<mailto:<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a>>><br>
<mailto:<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a><br>
<mailto:<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a>><br>
<mailto:<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a><br>
<mailto:<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a>>>><br>
<mailto:<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a><br>
<mailto:<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a>><br>
<mailto:<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a><br>
<mailto:<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a>>><br>
<mailto:<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a><br>
<mailto:<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a>><br>
<mailto:<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a><br>
<mailto:<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a>>>>><br>
<br>
<br>
<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
<br>
<br>
<br>
-- Konstantin Kozlov<br>
Department of Computational Biology,<br>
Center for Advanced Studies,<br>
SPb State Polytechnical University,<br>
195251, Polytechnicheskaya ul., 29,<br>
bld 4, office 204,<br>
St.Petersburg, Russia.<br>
<br>
Tel./fax: +7 812 596 2831<br>
<br>
_______________________________________________<br>
Freeipa-users mailing list<br>
<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a><br>
<mailto:<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a>><br>
<mailto:<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a><br>
<mailto:<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a>>><br>
<mailto:<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a><br>
<mailto:<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a>><br>
<mailto:<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a><br>
<mailto:<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a>>>><br>
<mailto:<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a><br>
<mailto:<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a>><br>
<mailto:<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a><br>
<mailto:<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a>>><br>
<mailto:<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a><br>
<mailto:<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a>><br>
<mailto:<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a><br></div></div><div class="Ih2E3d">
<mailto:<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a>>>>><br>
<br>
<br>
<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
<br>
<br>
<br>
<br>
<br>
------------------------------------------------------------------------<br>
<br>
_______________________________________________<br>
Freeipa-users mailing list<br>
<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a><br>
<mailto:<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a>><br></div><div class="Ih2E3d">
<mailto:<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a><br>
<mailto:<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a>>><br>
<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
<br>
<br>
<br>
<br>
<br>
</div></blockquote>
<br>
</blockquote></div><br>