[Freeipa-users] Windows Client Problem
Kozlov
mackoel at gmail.com
Tue Dec 30 18:16:13 UTC 2008
Hi,
The minor comment is that kadmin is supposed to be substituted with
ipa-addservice.
The major comment is that you've missed ipa-getkeytab on ipaserver that
actually SETS password that you then install on winxp.
And try to map all users to one: for example,
"* Administrator".
Best regards,
Kostya
Viji V Nair пишет:
> Hi,
>
> Thank you for the information, I have tried all these steps, but no success
>
> 1. On the IPA Server I have created a host principal using the following
> command.
>
> # kadmin -q "ank host/bmdata01.testing.com <http://bmdata01.testing.com>"
>
> 2. On the windows xp client
>
> C:> ksetup /setrealm TESTING.COM <http://TESTING.COM>
> C:> ksetup /addkdc TESTING.COM <http://TESTING.COM> viji.bigmaps.com
> <http://viji.bigmaps.com>
> C:> ksetup /setmachpassword <password>
> C:> ksetup /mapuser admin at TESTING.COM <mailto:admin at TESTING.COM> guest
> C:> ksetup /mapuser * *
>
> After the above setup windows is showing TESTING.COM
> <http://TESTING.COM> as a Kerberos Realm on the login screen, but when I
> try to login using the user name "admin" it is throwing the following error.
>
> "The system could not log you on. Make sure your user name and domain
> are correct, and then type your password again. Letters in passwords
> must be typed using the correct case."
>
> But the IPA (kerberos) server is issuing the tickets, the log shows:
>
> Dec 30 22:36:03 viji.testing.com <http://viji.testing.com>
> krb5kdc[5179](info): AS_REQ (7 etypes {23 -133 -128 3 1 24 -135})
> 172.16.33.112 <http://172.16.33.112>: NEEDED_PREAUTH: admin at TESTING.COM
> <mailto:admin at TESTING.COM> for krbtgt/TESTING.COM
> <http://TESTING.COM>@TESTING.COM <http://TESTING.COM>, Additional
> pre-authentication required
> Dec 30 22:36:03 viji.testing.com <http://viji.testing.com>
> krb5kdc[5179](info): AS_REQ (3 etypes {23 3 1}) 172.16.33.112
> <http://172.16.33.112>: ISSUE: authtime 1230656763, etypes {rep=23
> tkt=18 ses=23}, admin at TESTING.COM <mailto:admin at TESTING.COM> for
> krbtgt/TESTING.COM <http://TESTING.COM>@TESTING.COM <http://TESTING.COM>
> Dec 30 22:36:03 viji.testing.com <http://viji.testing.com>
> krb5kdc[5179](info): TGS_REQ (7 etypes {23 -133 -128 3 1 24 -135})
> 172.16.33.112 <http://172.16.33.112>: ISSUE: authtime 1230656763, etypes
> {rep=23 tkt=18 ses=23}, admin at TESTING.COM <mailto:admin at TESTING.COM> for
> host/bmdata01.testing.com <http://bmdata01.testing.com>@TESTING.COM
> <http://TESTING.COM>
>
> I have found some article on Microsoft website, saying this is a bug and
> apply the latest service pack (SP3), I even tried that, but no success.
>
> http://support.microsoft.com/kb/825081
>
> Similar Thread:
> http://mailman.mit.edu/pipermail/kerberos/2006-May/009890.html
>
> Thanks & Regards
>
> Viji
>
>
> On Mon, Dec 29, 2008 at 6:35 PM, Konstantin Kozlov <kozlov at spbcas.ru
> <mailto:kozlov at spbcas.ru>> wrote:
>
> Hi,
>
> You can search the list for a similar thread and here are the steps
> I've followed with success:
>
> Add host principal for winxp machine with the encoding des-cbc-crc
> and passowrd (-P ioption for ipa-getkeytab). Do not store this
> keytab in /etc/krb5.keytab but rather in some other file.
>
> Install MS Support Tools on WinXP, and run
>
> ksetup /setdomain ...
> ksetup /addkdc ...
> ksetup /setcomputerpassword ...
> ksetup /mapuser * <your user>
>
> WinXP machine asks to login to Kerberos realm at login screen.
>
> I failed to map one ipa-user to one win-user. But may be because I
> didn't have enough time. If you will succeed - leave a note here please.
>
> Best regards,
>
> Kostya
>
> Viji V Nair wrote:
>
> Hi,
>
> I am a new user of free-ipa, I have installed the free-ipa
> packages shipped with fedora 10. I have more that 100 windows
> clients to authenticate. Here is my problem,
>
> All the clients are XP SP2, I have installed MIT Kerberos for
> Windows 3.2.2. Always the native windows login prompt appears
> first, when i login to windows the kerberos client is asking for
> authentication.
>
> I want to replace this windows authentication with kerberos
>
> Any help on the same will be greatly appreciated.
>
> Thanks
> Viji
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
> --
> Konstantin Kozlov
> Department of Computational Biology,
> Center for Advanced Studies,
> SPb State Polytechnical University,
> 195251, Polytechnicheskaya ul., 29,
> bld 4, office 204,
> St.Petersburg, Russia.
>
> Tel./fax: +7 812 596 2831
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
More information about the Freeipa-users
mailing list