I did supply this to the list at the middle of September, but will re-send. I know things get lost in the flow of emails/lists. <div><br><div>==============IPA and ksetup steps=================</div><div><span class="Apple-style-span" style="font-size: 13px; color: rgb(34, 34, 34); font-family: arial, sans-serif; background-color: rgba(255, 255, 255, 0.917969); ">I can't find the technet article right now, but here's what I did that </span><span class="Apple-style-span" style="font-size: 13px; color: rgb(34, 34, 34); font-family: arial, sans-serif; background-color: rgba(255, 255, 255, 0.917969); ">makes Win7(and xp, but xp doesn't need the gpedit step) work. </span></div>
<div><br></div><div>One note about this, I kept getting strange errors with any encryption besides rc4-hmac. For my situation I think it is suitable(a static environment once the systems are deployed,) but if others want to spend more time hacking on the system MS messed up, go for it ;).<span class="Apple-style-span" style="color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 13px; background-color: rgba(255, 255, 255, 0.917969); "> </span><div>
<br style="color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 13px; background-color: rgba(255, 255, 255, 0.917969); "><span class="Apple-style-span" style="color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 13px; background-color: rgba(255, 255, 255, 0.917969); ">On FreeIPA:</span><br style="color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 13px; background-color: rgba(255, 255, 255, 0.917969); ">
<br style="color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 13px; background-color: rgba(255, 255, 255, 0.917969); "><span class="Apple-style-span" style="color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 13px; background-color: rgba(255, 255, 255, 0.917969); ">i. create the host principal in the web interface</span><br style="color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 13px; background-color: rgba(255, 255, 255, 0.917969); ">
<span class="Apple-style-span" style="color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 13px; background-color: rgba(255, 255, 255, 0.917969); ">ii. create IPA users to correspond to windows users</span><br style="color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 13px; background-color: rgba(255, 255, 255, 0.917969); ">
<span class="Apple-style-span" style="color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 13px; background-color: rgba(255, 255, 255, 0.917969); ">iii. reset the user's IPA password to a known password using the web </span><span class="Apple-style-span" style="color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 13px; background-color: rgba(255, 255, 255, 0.917969); ">interface, the user will be prompted to change at first log in. (is </span><span class="Apple-style-span" style="color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 13px; background-color: rgba(255, 255, 255, 0.917969); ">there a default password or is this random? sorry if that's somewhere </span><span class="Apple-style-span" style="color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 13px; background-color: rgba(255, 255, 255, 0.917969); ">else in docs and I missed it)</span><br style="color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 13px; background-color: rgba(255, 255, 255, 0.917969); ">
<span class="Apple-style-span" style="color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 13px; background-color: rgba(255, 255, 255, 0.917969); ">iv. on the IPA server run `ipa-getkeytab -s [kdc DNS name] -p </span><span class="Apple-style-span" style="color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 13px; background-color: rgba(255, 255, 255, 0.917969); ">host/[machine-name] -e arcfour-hmac -k krb5.keytab.[machine-name] -P` (enter the password that will be used in the `ksetup /secomputerpassword` below)</span><br style="color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 13px; background-color: rgba(255, 255, 255, 0.917969); ">
<br style="color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 13px; background-color: rgba(255, 255, 255, 0.917969); "><span class="Apple-style-span" style="color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 13px; background-color: rgba(255, 255, 255, 0.917969); ">configure windows </span><span class="il" style="background-image: initial; background-attachment: initial; background-origin: initial; background-clip: initial; background-color: rgba(255, 255, 255, 0.917969); color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 13px; ">ksetup</span><span class="Apple-style-span" style="color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 13px; background-color: rgba(255, 255, 255, 0.917969); ">:</span><br style="color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 13px; background-color: rgba(255, 255, 255, 0.917969); ">
<br style="color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 13px; background-color: rgba(255, 255, 255, 0.917969); "><span class="Apple-style-span" style="color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 13px; background-color: rgba(255, 255, 255, 0.917969); ">i. </span><span class="il" style="background-image: initial; background-attachment: initial; background-origin: initial; background-clip: initial; background-color: rgba(255, 255, 255, 0.917969); color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 13px; ">ksetup</span><span class="Apple-style-span" style="color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 13px; background-color: rgba(255, 255, 255, 0.917969); "> /setdomain [REALM NAME]</span><br style="color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 13px; background-color: rgba(255, 255, 255, 0.917969); ">
<span class="Apple-style-span" style="color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 13px; background-color: rgba(255, 255, 255, 0.917969); ">ii. </span><span class="il" style="background-image: initial; background-attachment: initial; background-origin: initial; background-clip: initial; background-color: rgba(255, 255, 255, 0.917969); color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 13px; ">ksetup</span><span class="Apple-style-span" style="color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 13px; background-color: rgba(255, 255, 255, 0.917969); "> /addkdc [REALM NAME] [kdc DNS name]</span><br style="color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 13px; background-color: rgba(255, 255, 255, 0.917969); ">
<span class="Apple-style-span" style="color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 13px; background-color: rgba(255, 255, 255, 0.917969); ">iii. </span><span class="il" style="background-image: initial; background-attachment: initial; background-origin: initial; background-clip: initial; background-color: rgba(255, 255, 255, 0.917969); color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 13px; ">ksetup</span><span class="Apple-style-span" style="color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 13px; background-color: rgba(255, 255, 255, 0.917969); "> /addkpassword [REALM NAME] [kdc DNS name]</span><br style="color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 13px; background-color: rgba(255, 255, 255, 0.917969); ">
<span class="Apple-style-span" style="color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 13px; background-color: rgba(255, 255, 255, 0.917969); ">iv. </span><span class="il" style="background-image: initial; background-attachment: initial; background-origin: initial; background-clip: initial; background-color: rgba(255, 255, 255, 0.917969); color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 13px; ">ksetup</span><span class="Apple-style-span" style="color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 13px; background-color: rgba(255, 255, 255, 0.917969); "> /setcomputerpassword [PASSWORD]</span><br style="color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 13px; background-color: rgba(255, 255, 255, 0.917969); ">
<span class="Apple-style-span" style="color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 13px; background-color: rgba(255, 255, 255, 0.917969); ">v. </span><span class="il" style="background-image: initial; background-attachment: initial; background-origin: initial; background-clip: initial; background-color: rgba(255, 255, 255, 0.917969); color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 13px; ">ksetup</span><span class="Apple-style-span" style="color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 13px; background-color: rgba(255, 255, 255, 0.917969); "> /mapuser * *</span><br style="color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 13px; background-color: rgba(255, 255, 255, 0.917969); ">
<span class="Apple-style-span" style="color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 13px; background-color: rgba(255, 255, 255, 0.917969); ">vi. Run gpedit.msc. Under >Computer Configuration\Windows </span><span class="Apple-style-span" style="color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 13px; background-color: rgba(255, 255, 255, 0.917969); ">Settings\Security Settings\Local Policies\Security Options open the </span><span class="Apple-style-span" style="color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 13px; background-color: rgba(255, 255, 255, 0.917969); ">key called “Network Security: Configure encryption types allowed for </span><span class="Apple-style-span" style="color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 13px; background-color: rgba(255, 255, 255, 0.917969); ">Kerberos” unselect everything except RC4_HMAC_MD5 </span><br style="color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 13px; background-color: rgba(255, 255, 255, 0.917969); ">
<span class="Apple-style-span" style="color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 13px; background-color: rgba(255, 255, 255, 0.917969); ">vii. *** REBOOT ***</span><br style="color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 13px; background-color: rgba(255, 255, 255, 0.917969); ">
<span class="Apple-style-span" style="color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 13px; background-color: rgba(255, 255, 255, 0.917969); ">viii. log in as [user]@[REALM] with the initial password, you will be</span><br style="color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 13px; background-color: rgba(255, 255, 255, 0.917969); ">
<span class="Apple-style-span" style="color: rgb(34, 34, 34); font-family: arial, sans-serif; font-size: 13px; background-color: rgba(255, 255, 255, 0.917969); ">prompted to change the password then logged in.</span></div>
<div><font class="Apple-style-span" color="#222222" face="arial, sans-serif"><br></font></div><div><font class="Apple-style-span" color="#222222" face="arial, sans-serif"><br></font><br><div class="gmail_quote">On Tue, Nov 15, 2011 at 6:32 PM, Dmitri Pal <span dir="ltr"><<a href="mailto:dpal@redhat.com" target="_blank">dpal@redhat.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><u></u>
<div bgcolor="#ffffff" text="#000000"><div>
On 11/15/2011 04:01 PM, Jimmy wrote:
<blockquote type="cite">I know the Windows systems don't have full integration
with FreeIPA, but I have Windows systems authenticating to FreeIPA
the same as they would to a regular MIT Kerberos system. The are
not using the same config that is posted on the FreeIPA website
where the IPA users are mapped to a single workstation user.
<div>
<br>
</div>
</blockquote>
<br></div>
Would you mind sharing your configuration and steps with us?<br>
<br>
<br>
Thank you<br>
Dmitri<div><div><br>
<br>
<blockquote type="cite">
<div>Jimmy<br>
<br>
<div class="gmail_quote">On Tue, Nov 15, 2011 at 3:40 PM, Steven
Jones <span dir="ltr"><<a href="mailto:Steven.Jones@vuw.ac.nz" target="_blank">Steven.Jones@vuw.ac.nz</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204, 204, 204);padding-left:1ex">
Hi,<br>
<br>
I dont think there is much realistic hope of getting windows
to authenticate to freeIPA......the others should be able to
and the fedora docs on the freeipa documentation web page
list a specific method for macs for one (but I have not
tried it yet, but I will be)....ubuntu has been mentioned
before....I have to try/do that as well....<br>
<br>
Siggi sent me some notes a while back,<br>
<br>
=============<br>
<br>
Ubuntu client install<br>
<br>
<br>
<a href="https://help.ubuntu.com/10.04/serverguide/C/kerberos.html" target="_blank">https://help.ubuntu.com/10.04/serverguide/C/kerberos.html</a><br>
<br>
<br>
sudo apt-get install krb5-user libpam-krb5 libpam-ccreds
auth-client-config<br>
<br>
<br>
maybe also need libpam-ldap libnss-ldap<br>
<br>
<br>
Use ipa-getkeytab on a IPA server to retrieve the keytab for
the host, and copy this to /etc/krb5.keytab on the Ubuntu
client.<br>
<br>
[root@ipa1 ~]# ipa-getkeytab -s <a href="http://ipa1.ix.test.com" target="_blank">ipa1.ix.test.com</a>
-p host/<a href="http://ubuntu-client.ix.test.com" target="_blank">ubuntu-client.ix.test.com</a>
-k /tmp/buntuclient_krb5.keytab<br>
<br>
If you prefer you can use something like CFengine to
automate the whole process.<br>
<br>
=============<br>
<br>
Hope that helps.............<br>
<br>
<br>
regards<br>
<br>
Steven Jones<br>
<br>
Technical Specialist - Linux RHCE<br>
<br>
Victoria University, Wellington, NZ<br>
<br>
0064 4 463 6272<br>
<br>
________________________________<br>
From: <a href="mailto:freeipa-users-bounces@redhat.com" target="_blank">freeipa-users-bounces@redhat.com</a>
[<a href="mailto:freeipa-users-bounces@redhat.com" target="_blank">freeipa-users-bounces@redhat.com</a>]
on behalf of Boris Epstein [<a href="mailto:borepstein@gmail.com" target="_blank">borepstein@gmail.com</a>]<br>
Sent: Wednesday, 16 November 2011 9:03 a.m.<br>
To: <a href="mailto:freeipa-users@redhat.com" target="_blank">freeipa-users@redhat.com</a><br>
Subject: [Freeipa-users] LDAP authentication into FreeIPA<br>
<div>
<div><br>
Hello all,<br>
<br>
This may be my general LDAP illiteracy - I only dealth
with it briefly years ago - but I am trying to set up a
FreeIPA server on Fedora 16 to have my Macs and Ubuntu
Linux machines as well as a couple of Windows boxes to
authenticate to - and seem not to be making much forward
progress. Is there a step-by-step writeup on how to do
that sort of thing?<br>
<br>
Thanks for any and all help.<br>
<br>
Boris.<br>
<br>
</div>
</div>
_______________________________________________<br>
Freeipa-users mailing list<br>
<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a><br>
<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
</blockquote>
</div>
<br>
</div>
<pre><fieldset></fieldset>
_______________________________________________
Freeipa-users mailing list
<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a>
<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
<br>
<br>
</div></div><span><font color="#888888"><pre cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a href="http://www.redhat.com/carveoutcosts/" target="_blank">www.redhat.com/carveoutcosts/</a>
</pre>
</font></span></div>
<br>_______________________________________________<br>
Freeipa-users mailing list<br>
<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a><br>
<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br></blockquote></div><br>
</div></div></div>