Nope, I kept forgetting to re-post it. Here are the steps I used:<div><br></div><div><span style>On FreeIPA:</span><br style><br style><span style>i. create the host principal in the web interface</span><br style><span style>ii. create IPA users to correspond to windows users</span><br style> <span style>iii. reset the user's IPA password to a known password using the web</span><br style><span style>interface, the user will be prompted to change at first log in. (is</span><br style><span style>there a default password or is this random? sorry if that's somewhere</span><br style> <span style>else in docs and I missed it)</span><br style><span style>iv. on the IPA server run `ipa-getkeytab -s [kdc DNS name] -p</span><br style><span style>host/[machine-name] -e arcfour-hmac -k krb5.keytab.[machine-name] -P</span><br style> <br style><span style>configure windows </span><span class="il" style>ksetup</span><span style>:</span><br style><br style><span style>i. </span><span class="il" style>ksetup</span><span style> /setdomain [REALM NAME]</span><br style> <span style>ii. </span><span class="il" style>ksetup</span><span style> /addkdc [REALM NAME] [kdc DNS name]</span><br style><span style>iii. </span><span class="il" style>ksetup</span><span style> /addkpassword [REALM NAME] [kdc DNS name]</span><br style> <span style>iv. </span><span class="il" style>ksetup</span><span style> /setcomputerpassword [PASSWORD]</span><br style><span style>v. </span><span class="il" style>ksetup</span><span style> /mapuser * *</span><br style> <span style>vi. Run gpedit.msc. Under >Computer Configuration\Windows</span><br style><span style>Settings\Security Settings\Local Policies\Security Options open the</span><br style><span style>key called “Network Security: Configure encryption types allowed for</span><br style> <span style>Kerberos” unselect everything except RC4_HMAC_MD5</span><br style><span style>vii. *** REBOOT ***</span><br style><span style>viii. log in as [user]@[REALM] with the initial password, you will be</span><br style> <span style>prompted to change the password then logged in.</span> <br><br><div class="gmail_quote">On Fri, Feb 24, 2012 at 8:33 AM, Nigel Sollars <span dir="ltr"><<a href="mailto:nsollars@gmail.com">nsollars@gmail.com</a>></span> wrote:<br> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hello,<div><br></div><div>Ive been away for a little while, did I miss any posting of this information?.</div><div><br> </div><div>Thanks</div><div><span class="HOEnZb"><font color="#888888">Nigel Sollars</font></span><div><div class="h5"><br><br><div class="gmail_quote">On Thu, Feb 9, 2012 at 9:51 AM, Jimmy <span dir="ltr"><<a href="mailto:g17jimmy@gmail.com" target="_blank">g17jimmy@gmail.com</a>></span> wrote:<br> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Yes, I'll find that and post it. I've been traveling for work the past few weeks and haven't had it with me.<div> <div><br><br><div class="gmail_quote">On Thu, Feb 9, 2012 at 8:25 AM, Nigel Sollars <span dir="ltr"><<a href="mailto:nsollars@gmail.com" target="_blank">nsollars@gmail.com</a>></span> wrote:<br> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi,<div><br></div><div>Could you point me to the document please :).</div><div><br></div><div>Thanks in advance.<div><div> <br><br><div class="gmail_quote">On Mon, Feb 6, 2012 at 1:34 PM, Jimmy <span dir="ltr"><<a href="mailto:g17jimmy@gmail.com" target="_blank">g17jimmy@gmail.com</a>></span> wrote:<br> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">I am not making the windows systems part of an AD. I only need to replicate users from an AD group to FreeIPA and I've had issues making that work. I was working on that with a couple guys here on the list a couple weeks ago but have been traveling so it's been hard to make time to work on that. <div> <br></div><div>I submitted the doc to configure Win7 a while back but will look for it and re-submit. </div><span><font color="#888888"><div><br></div><div>Jimmy</div></font></span><div><div> <div><br><div class="gmail_quote">On Mon, Feb 6, 2012 at 12:24 PM, Dmitri Pal <span dir="ltr"><<a href="mailto:dpal@redhat.com" target="_blank">dpal@redhat.com</a>></span> wrote:<br> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><u></u> <div bgcolor="#ffffff" text="#000000"><div> On 02/06/2012 11:31 AM, Jimmy wrote: <blockquote type="cite">I don't think you have to put it anywhere, the ipa.getkeytab mainly sets the workstation password in freeipa. I keep the client keytabs in /etc (krb5.keytab.[clientname].) <div><br> </div> <div>I have many Win7 and WinXP workstations authenticating but I'm still working on getting user/password sync working.</div> <div><br> </div> <div>Jimmy</div> </blockquote> <br></div> Jimmy,<br> <br> Are you using Windows systems directly with IPA or you make them a part of the AD domain and use winsync to sync data from AD to IPA?<br> If you managed to setup Win7 directly with IPA please share how you have done this.<br> <br> Thanks<br> Dmitri<div><br> <br> <blockquote type="cite"> <div><br> <div class="gmail_quote">On Mon, Feb 6, 2012 at 10:39 AM, Nigel Sollars <span dir="ltr"><<a href="mailto:nsollars@gmail.com" target="_blank">nsollars@gmail.com</a>></span> wrote:<br> <blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"> Hi all, <div><br> </div> <div>Quick question,</div> <div><br> </div> <div>I want to setup a Windows system to use my realm, ive followed the prep list and created a simple arcfour-hmac krb5.keytab. The guide does not mention where I place this keytab. I thought I would check before running any of the ksetup commands.</div> <div><br> </div> <div>Also just for reference has anyone gotten Windows 7 / server 2008 authenticated? ( I guess that should also include server 2003 ).</div> <div><br> </div> <div>Thanks in advance</div> <span><font color="#888888"> <div> <br> </div> <div>Nigel Sollars</div> <div><br clear="all"> <div><br> </div> -- <br> <font>“Science is a differential equation. Religion is a boundary condition.”<br> Alan Turing<br> </font><br> </div> </font></span><br> _______________________________________________<br> Freeipa-users mailing list<br> <a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a><br> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br> </blockquote> </div> <br> </div> <pre><fieldset></fieldset> _______________________________________________ Freeipa-users mailing list <a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre> </blockquote> <br> <br> </div><span><font color="#888888"><pre cols="72">-- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? <a href="http://www.redhat.com/carveoutcosts/" target="_blank">www.redhat.com/carveoutcosts/</a> </pre> </font></span></div> <br>_______________________________________________<br> Freeipa-users mailing list<br> <a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a><br> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br></blockquote></div><br></div> </div></div><br>_______________________________________________<br> Freeipa-users mailing list<br> <a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a><br> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br></blockquote></div><br><br clear="all"><div><br></div>-- <br><font>“Science is a differential equation. Religion is a boundary condition.”<br> Alan Turing<br></font><br> </div></div></div> <br>_______________________________________________<br> Freeipa-users mailing list<br> <a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a><br> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br></blockquote></div><br> </div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br><font>“Science is a differential equation. Religion is a boundary condition.”<br> Alan Turing<br> </font><br> </div></div></div> <br>_______________________________________________<br> Freeipa-users mailing list<br> <a href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><br> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br></blockquote></div><br></div>