[Freeipa-users] Windows Client Problem

Kozlov mackoel at gmail.com
Wed Dec 31 15:34:15 UTC 2008 

Hi,

As I mentioned in the first reply to your post the right command is:

ipa-getkeytab -s viji.testing.com <http://viji.testing.com> -p 
host/bmdata01.testing.com <http://bmdata01.testing.com> -e des-cbc-crc 
-k krb5.keytab.txt -P

in which you set the password that then goes to winxp host.

Best regards and Happy New Year!

Kostya

Viji V Nair пишет:
> Hi,
>
> I have done the modifications as suggested, but no luck, getting the 
> same error.
>
> # kinit admin
> # ipa-addservice host/bmdata01.testing.com <http://bmdata01.testing.com>
> # ipa-getkeytab -s viji.testing.com <http://viji.testing.com> -p 
> host/bmdata01.testing.com <http://bmdata01.testing.com> -k 
> /etc/krb5.keytab
>
> Could you please elaborate the steps which you have done to get it 
> working on both the client and server side?
>
> Thanks
> Viji
>
> On Tue, Dec 30, 2008 at 11:46 PM, Kozlov <mackoel at gmail.com 
> <mailto:mackoel at gmail.com>> wrote:
>
>     Hi,
>
>     The minor comment is that kadmin is supposed to be substituted
>     with ipa-addservice.
>
>     The major comment is that you've missed ipa-getkeytab on ipaserver
>     that actually SETS password that you then install on winxp.
>
>     And try to map  all users to one: for example,
>     "* Administrator".
>
>     Best regards,
>
>     Kostya
>
>     Viji V Nair пишет:
>
>         Hi,
>
>         Thank you for the information, I have tried all these steps,
>         but no success
>
>         1. On the IPA Server I have created a host principal using the
>         following command.
>
>         # kadmin -q "ank host/bmdata01.testing.com
>         <http://bmdata01.testing.com> <http://bmdata01.testing.com>"
>
>
>         2. On the windows xp client
>
>         C:> ksetup /setrealm TESTING.COM <http://TESTING.COM>
>         <http://TESTING.COM>
>         C:> ksetup /addkdc TESTING.COM <http://TESTING.COM>
>         <http://TESTING.COM> viji.bigmaps.com
>         <http://viji.bigmaps.com> <http://viji.bigmaps.com>
>         C:> ksetup /setmachpassword <password>
>         C:> ksetup /mapuser admin at TESTING.COM
>         <mailto:admin at TESTING.COM> <mailto:admin at TESTING.COM
>         <mailto:admin at TESTING.COM>> guest
>         C:> ksetup /mapuser * *
>
>         After the above setup windows is showing TESTING.COM
>         <http://TESTING.COM> <http://TESTING.COM> as a Kerberos Realm
>         on the login screen, but when I try to login using the user
>         name "admin" it is throwing the following error.
>
>
>         "The system could not log you on. Make sure your user name and
>         domain are correct, and then type your password again. Letters
>         in passwords must be typed using the correct case."
>
>         But the IPA (kerberos) server is issuing the tickets, the log
>         shows:
>
>         Dec 30 22:36:03 viji.testing.com <http://viji.testing.com>
>         <http://viji.testing.com> krb5kdc[5179](info): AS_REQ (7
>         etypes {23 -133 -128 3 1 24 -135}) 172.16.33.112
>         <http://172.16.33.112>: NEEDED_PREAUTH: admin at TESTING.COM
>         <mailto:admin at TESTING.COM> <mailto:admin at TESTING.COM
>         <mailto:admin at TESTING.COM>> for krbtgt/TESTING.COM
>         <http://TESTING.COM> <http://TESTING.COM>@TESTING.COM
>         <http://TESTING.COM> <http://TESTING.COM>, Additional
>         pre-authentication required
>         Dec 30 22:36:03 viji.testing.com <http://viji.testing.com>
>         <http://viji.testing.com> krb5kdc[5179](info): AS_REQ (3
>         etypes {23 3 1}) 172.16.33.112 <http://172.16.33.112>: ISSUE:
>         authtime 1230656763, etypes {rep=23 tkt=18 ses=23},
>         admin at TESTING.COM <mailto:admin at TESTING.COM>
>         <mailto:admin at TESTING.COM <mailto:admin at TESTING.COM>> for
>         krbtgt/TESTING.COM <http://TESTING.COM>
>         <http://TESTING.COM>@TESTING.COM <http://TESTING.COM>
>         <http://TESTING.COM>
>         Dec 30 22:36:03 viji.testing.com <http://viji.testing.com>
>         <http://viji.testing.com> krb5kdc[5179](info): TGS_REQ (7
>         etypes {23 -133 -128 3 1 24 -135}) 172.16.33.112
>         <http://172.16.33.112>: ISSUE: authtime 1230656763, etypes
>         {rep=23 tkt=18 ses=23}, admin at TESTING.COM
>         <mailto:admin at TESTING.COM> <mailto:admin at TESTING.COM
>         <mailto:admin at TESTING.COM>> for host/bmdata01.testing.com
>         <http://bmdata01.testing.com>
>         <http://bmdata01.testing.com>@TESTING.COM <http://TESTING.COM>
>         <http://TESTING.COM>
>
>
>         I have found some article on Microsoft website, saying this is
>         a bug and apply the latest service pack (SP3), I even tried
>         that, but no success.
>
>         http://support.microsoft.com/kb/825081
>
>         Similar Thread:
>         http://mailman.mit.edu/pipermail/kerberos/2006-May/009890.html
>
>         Thanks & Regards
>
>         Viji
>
>
>         On Mon, Dec 29, 2008 at 6:35 PM, Konstantin Kozlov
>         <kozlov at spbcas.ru <mailto:kozlov at spbcas.ru>
>         <mailto:kozlov at spbcas.ru <mailto:kozlov at spbcas.ru>>> wrote:
>
>            Hi,
>
>            You can search the list for a similar thread and here are
>         the steps
>            I've followed with success:
>
>            Add host principal for winxp machine with the encoding
>         des-cbc-crc
>            and passowrd (-P ioption for ipa-getkeytab). Do not store this
>            keytab in /etc/krb5.keytab but rather in some other file.
>
>            Install MS Support Tools on WinXP, and run
>
>            ksetup /setdomain ...
>            ksetup /addkdc ...
>            ksetup /setcomputerpassword ...
>            ksetup /mapuser * <your user>
>
>            WinXP machine asks to login to Kerberos realm at login screen.
>
>            I failed to map one ipa-user to one win-user. But may be
>         because I
>            didn't have enough time. If you will succeed - leave a note
>         here please.
>
>            Best regards,
>
>            Kostya
>
>            Viji V Nair wrote:
>
>                Hi,
>
>                I am a new user of free-ipa, I have installed the free-ipa
>                packages shipped with fedora 10. I have more that 100
>         windows
>                clients to authenticate. Here is my problem,
>
>                All the clients are XP SP2, I have installed MIT
>         Kerberos for
>                Windows 3.2.2. Always the native windows login prompt
>         appears
>                first, when i login to windows the kerberos client is
>         asking for
>                authentication.
>
>                I want to replace this windows authentication with kerberos
>
>                Any help on the same will be greatly appreciated.
>
>                Thanks
>                Viji
>
>
>              
>          ------------------------------------------------------------------------
>
>                _______________________________________________
>                Freeipa-users mailing list
>                Freeipa-users at redhat.com
>         <mailto:Freeipa-users at redhat.com>
>         <mailto:Freeipa-users at redhat.com
>         <mailto:Freeipa-users at redhat.com>>
>
>                https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
>            --    Konstantin Kozlov
>            Department of Computational Biology,
>            Center for Advanced Studies,
>            SPb State Polytechnical University,
>            195251, Polytechnicheskaya ul., 29,
>            bld 4, office 204,
>            St.Petersburg, Russia.
>
>            Tel./fax: +7 812 596 2831
>
>            _______________________________________________
>            Freeipa-users mailing list
>            Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>         <mailto:Freeipa-users at redhat.com
>         <mailto:Freeipa-users at redhat.com>>
>
>            https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
>

More information about the Freeipa-users mailing list