[Freeipa-users] Windows Client Problem

Kozlov mackoel at gmail.com
Tue Dec 30 18:16:13 UTC 2008 

Hi,

The minor comment is that kadmin is supposed to be substituted with 
ipa-addservice.

The major comment is that you've missed ipa-getkeytab on ipaserver that 
actually SETS password that you then install on winxp.

And try to map  all users to one: for example,
"* Administrator".

Best regards,

Kostya

Viji V Nair пишет:
> Hi,
> 
> Thank you for the information, I have tried all these steps, but no success
> 
> 1. On the IPA Server I have created a host principal using the following 
> command.
> 
> # kadmin -q "ank host/bmdata01.testing.com <http://bmdata01.testing.com>"
> 
> 2. On the windows xp client
> 
> C:> ksetup /setrealm TESTING.COM <http://TESTING.COM>
> C:> ksetup /addkdc TESTING.COM <http://TESTING.COM> viji.bigmaps.com 
> <http://viji.bigmaps.com>
> C:> ksetup /setmachpassword <password>
> C:> ksetup /mapuser admin at TESTING.COM <mailto:admin at TESTING.COM> guest
> C:> ksetup /mapuser * *
> 
> After the above setup windows is showing TESTING.COM 
> <http://TESTING.COM> as a Kerberos Realm on the login screen, but when I 
> try to login using the user name "admin" it is throwing the following error.
> 
> "The system could not log you on. Make sure your user name and domain 
> are correct, and then type your password again. Letters in passwords 
> must be typed using the correct case."
> 
> But the IPA (kerberos) server is issuing the tickets, the log shows:
> 
> Dec 30 22:36:03 viji.testing.com <http://viji.testing.com> 
> krb5kdc[5179](info): AS_REQ (7 etypes {23 -133 -128 3 1 24 -135}) 
> 172.16.33.112 <http://172.16.33.112>: NEEDED_PREAUTH: admin at TESTING.COM 
> <mailto:admin at TESTING.COM> for krbtgt/TESTING.COM 
> <http://TESTING.COM>@TESTING.COM <http://TESTING.COM>, Additional 
> pre-authentication required
> Dec 30 22:36:03 viji.testing.com <http://viji.testing.com> 
> krb5kdc[5179](info): AS_REQ (3 etypes {23 3 1}) 172.16.33.112 
> <http://172.16.33.112>: ISSUE: authtime 1230656763, etypes {rep=23 
> tkt=18 ses=23}, admin at TESTING.COM <mailto:admin at TESTING.COM> for 
> krbtgt/TESTING.COM <http://TESTING.COM>@TESTING.COM <http://TESTING.COM>
> Dec 30 22:36:03 viji.testing.com <http://viji.testing.com> 
> krb5kdc[5179](info): TGS_REQ (7 etypes {23 -133 -128 3 1 24 -135}) 
> 172.16.33.112 <http://172.16.33.112>: ISSUE: authtime 1230656763, etypes 
> {rep=23 tkt=18 ses=23}, admin at TESTING.COM <mailto:admin at TESTING.COM> for 
> host/bmdata01.testing.com <http://bmdata01.testing.com>@TESTING.COM 
> <http://TESTING.COM>
> 
> I have found some article on Microsoft website, saying this is a bug and 
> apply the latest service pack (SP3), I even tried that, but no success.
> 
> http://support.microsoft.com/kb/825081
> 
> Similar Thread: 
> http://mailman.mit.edu/pipermail/kerberos/2006-May/009890.html
> 
> Thanks & Regards
> 
> Viji
> 
> 
> On Mon, Dec 29, 2008 at 6:35 PM, Konstantin Kozlov <kozlov at spbcas.ru 
> <mailto:kozlov at spbcas.ru>> wrote:
> 
>     Hi,
> 
>     You can search the list for a similar thread and here are the steps
>     I've followed with success:
> 
>     Add host principal for winxp machine with the encoding des-cbc-crc
>     and passowrd (-P ioption for ipa-getkeytab). Do not store this
>     keytab in /etc/krb5.keytab but rather in some other file.
> 
>     Install MS Support Tools on WinXP, and run
> 
>     ksetup /setdomain ...
>     ksetup /addkdc ...
>     ksetup /setcomputerpassword ...
>     ksetup /mapuser * <your user>
> 
>     WinXP machine asks to login to Kerberos realm at login screen.
> 
>     I failed to map one ipa-user to one win-user. But may be because I
>     didn't have enough time. If you will succeed - leave a note here please.
> 
>     Best regards,
> 
>     Kostya
> 
>     Viji V Nair wrote:
> 
>         Hi,
> 
>         I am a new user of free-ipa, I have installed the free-ipa
>         packages shipped with fedora 10. I have more that 100 windows
>         clients to authenticate. Here is my problem,
> 
>         All the clients are XP SP2, I have installed MIT Kerberos for
>         Windows 3.2.2. Always the native windows login prompt appears
>         first, when i login to windows the kerberos client is asking for
>         authentication.
> 
>         I want to replace this windows authentication with kerberos
> 
>         Any help on the same will be greatly appreciated.
> 
>         Thanks
>         Viji
> 
> 
>         ------------------------------------------------------------------------
> 
>         _______________________________________________
>         Freeipa-users mailing list
>         Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>         https://www.redhat.com/mailman/listinfo/freeipa-users
> 
> 
> 
>     -- 
>     Konstantin Kozlov
>     Department of Computational Biology,
>     Center for Advanced Studies,
>     SPb State Polytechnical University,
>     195251, Polytechnicheskaya ul., 29,
>     bld 4, office 204,
>     St.Petersburg, Russia.
> 
>     Tel./fax: +7 812 596 2831
> 
>     _______________________________________________
>     Freeipa-users mailing list
>     Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>     https://www.redhat.com/mailman/listinfo/freeipa-users
> 
>

More information about the Freeipa-users mailing list