I did supply this to the list at the middle of September, but will re-send. I know things get lost in the flow of emails/lists. <div> <div>==============IPA and ksetup steps=================</div><div>I can't find the technet article right now, but here's what I did that makes Win7(and xp, but xp doesn't need the gpedit step) work. </div> <div> </div><div>One note about this, I kept getting strange errors with any encryption besides rc4-hmac. For my situation I think it is suitable(a static environment once the systems are deployed,) but if others want to spend more time hacking on the system MS messed up, go for it ;). <div> On FreeIPA: i. create the host principal in the web interface ii. create IPA users to correspond to windows users iii. reset the user's IPA password to a known password using the web interface, the user will be prompted to change at first log in. (is there a default password or is this random? sorry if that's somewhere else in docs and I missed it) iv. on the IPA server run `ipa-getkeytab -s [kdc DNS name] -p host/[machine-name] -e arcfour-hmac -k krb5.keytab.[machine-name] -P` (enter the password that will be used in the `ksetup /secomputerpassword` below) configure windows <span class="il" style="background-image: initial; background-attachment: initial; background-origin: initial; background-clip: initial; background-color: rgba(255, 255, 255, 0.917969); color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 13px; ">ksetup: i. <span class="il" style="background-image: initial; background-attachment: initial; background-origin: initial; background-clip: initial; background-color: rgba(255, 255, 255, 0.917969); color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 13px; ">ksetup /setdomain [REALM NAME] ii. <span class="il" style="background-image: initial; background-attachment: initial; background-origin: initial; background-clip: initial; background-color: rgba(255, 255, 255, 0.917969); color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 13px; ">ksetup /addkdc [REALM NAME] [kdc DNS name] iii. <span class="il" style="background-image: initial; background-attachment: initial; background-origin: initial; background-clip: initial; background-color: rgba(255, 255, 255, 0.917969); color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 13px; ">ksetup /addkpassword [REALM NAME] [kdc DNS name] iv. <span class="il" style="background-image: initial; background-attachment: initial; background-origin: initial; background-clip: initial; background-color: rgba(255, 255, 255, 0.917969); color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 13px; ">ksetup /setcomputerpassword [PASSWORD] v. <span class="il" style="background-image: initial; background-attachment: initial; background-origin: initial; background-clip: initial; background-color: rgba(255, 255, 255, 0.917969); color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 13px; ">ksetup /mapuser * * vi. Run gpedit.msc. Under >Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options open the key called “Network Security: Configure encryption types allowed for Kerberos” unselect everything except RC4_HMAC_MD5 vii. *** REBOOT *** viii. log in as [user]@[REALM] with the initial password, you will be prompted to change the password then logged in.</div> <div> </div><div> <div class="gmail_quote">On Tue, Nov 15, 2011 at 6:32 PM, Dmitri Pal <<a href="mailto:dpal@redhat.com" target="_blank">dpal@redhat.com</a>> wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> <div bgcolor="#ffffff" text="#000000"><div> On 11/15/2011 04:01 PM, Jimmy wrote: <blockquote type="cite">I know the Windows systems don't have full integration with FreeIPA, but I have Windows systems authenticating to FreeIPA the same as they would to a regular MIT Kerberos system. The are not using the same config that is posted on the FreeIPA website where the IPA users are mapped to a single workstation user. <div> </div> </blockquote> </div> Would you mind sharing your configuration and steps with us? Thank you Dmitri<div><div> <blockquote type="cite"> <div>Jimmy <div class="gmail_quote">On Tue, Nov 15, 2011 at 3:40 PM, Steven Jones <<a href="mailto:Steven.Jones@vuw.ac.nz" target="_blank">Steven.Jones@vuw.ac.nz</a>> wrote: <blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204, 204, 204);padding-left:1ex"> Hi, I dont think there is much realistic hope of getting windows to authenticate to freeIPA......the others should be able to and the fedora docs on the freeipa documentation web page list a specific method for macs for one (but I have not tried it yet, but I will be)....ubuntu has been mentioned before....I have to try/do that as well.... Siggi sent me some notes a while back, ============= Ubuntu client install <a href="https://help.ubuntu.com/10.04/serverguide/C/kerberos.html" target="_blank">https://help.ubuntu.com/10.04/serverguide/C/kerberos.html</a> sudo apt-get install krb5-user libpam-krb5 libpam-ccreds auth-client-config maybe also need libpam-ldap libnss-ldap Use ipa-getkeytab on a IPA server to retrieve the keytab for the host, and copy this to /etc/krb5.keytab on the Ubuntu client. [root@ipa1 ~]# ipa-getkeytab -s <a href="http://ipa1.ix.test.com" target="_blank">ipa1.ix.test.com</a> -p host/<a href="http://ubuntu-client.ix.test.com" target="_blank">ubuntu-client.ix.test.com</a> -k /tmp/buntuclient_krb5.keytab If you prefer you can use something like CFengine to automate the whole process. ============= Hope that helps............. regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________ From: <a href="mailto:freeipa-users-bounces@redhat.com" target="_blank">freeipa-users-bounces@redhat.com</a> [<a href="mailto:freeipa-users-bounces@redhat.com" target="_blank">freeipa-users-bounces@redhat.com</a>] on behalf of Boris Epstein [<a href="mailto:borepstein@gmail.com" target="_blank">borepstein@gmail.com</a>] Sent: Wednesday, 16 November 2011 9:03 a.m. To: <a href="mailto:freeipa-users@redhat.com" target="_blank">freeipa-users@redhat.com</a> Subject: [Freeipa-users] LDAP authentication into FreeIPA <div> <div> Hello all, This may be my general LDAP illiteracy - I only dealth with it briefly years ago - but I am trying to set up a FreeIPA server on Fedora 16 to have my Macs and Ubuntu Linux machines as well as a couple of Windows boxes to authenticate to - and seem not to be making much forward progress. Is there a step-by-step writeup on how to do that sort of thing? Thanks for any and all help. Boris. </div> </div> _______________________________________________ Freeipa-users mailing list <a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a> </blockquote> </div> </div> <pre><fieldset></fieldset> _______________________________________________ Freeipa-users mailing list <a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre> </blockquote> </div></div><pre cols="72">-- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? <a href="http://www.redhat.com/carveoutcosts/" target="_blank">www.redhat.com/carveoutcosts/</a> </pre> </div> _______________________________________________ Freeipa-users mailing list <a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a> </blockquote></div> </div></div></div>