[Freeipa-users] Windows Client Problem
Kozlov
mackoel at gmail.com
Wed Dec 31 15:34:15 UTC 2008
Hi,
As I mentioned in the first reply to your post the right command is:
ipa-getkeytab -s viji.testing.com <http://viji.testing.com> -p
host/bmdata01.testing.com <http://bmdata01.testing.com> -e des-cbc-crc
-k krb5.keytab.txt -P
in which you set the password that then goes to winxp host.
Best regards and Happy New Year!
Kostya
Viji V Nair пишет:
> Hi,
>
> I have done the modifications as suggested, but no luck, getting the
> same error.
>
> # kinit admin
> # ipa-addservice host/bmdata01.testing.com <http://bmdata01.testing.com>
> # ipa-getkeytab -s viji.testing.com <http://viji.testing.com> -p
> host/bmdata01.testing.com <http://bmdata01.testing.com> -k
> /etc/krb5.keytab
>
> Could you please elaborate the steps which you have done to get it
> working on both the client and server side?
>
> Thanks
> Viji
>
> On Tue, Dec 30, 2008 at 11:46 PM, Kozlov <mackoel at gmail.com
> <mailto:mackoel at gmail.com>> wrote:
>
> Hi,
>
> The minor comment is that kadmin is supposed to be substituted
> with ipa-addservice.
>
> The major comment is that you've missed ipa-getkeytab on ipaserver
> that actually SETS password that you then install on winxp.
>
> And try to map all users to one: for example,
> "* Administrator".
>
> Best regards,
>
> Kostya
>
> Viji V Nair пишет:
>
> Hi,
>
> Thank you for the information, I have tried all these steps,
> but no success
>
> 1. On the IPA Server I have created a host principal using the
> following command.
>
> # kadmin -q "ank host/bmdata01.testing.com
> <http://bmdata01.testing.com> <http://bmdata01.testing.com>"
>
>
> 2. On the windows xp client
>
> C:> ksetup /setrealm TESTING.COM <http://TESTING.COM>
> <http://TESTING.COM>
> C:> ksetup /addkdc TESTING.COM <http://TESTING.COM>
> <http://TESTING.COM> viji.bigmaps.com
> <http://viji.bigmaps.com> <http://viji.bigmaps.com>
> C:> ksetup /setmachpassword <password>
> C:> ksetup /mapuser admin at TESTING.COM
> <mailto:admin at TESTING.COM> <mailto:admin at TESTING.COM
> <mailto:admin at TESTING.COM>> guest
> C:> ksetup /mapuser * *
>
> After the above setup windows is showing TESTING.COM
> <http://TESTING.COM> <http://TESTING.COM> as a Kerberos Realm
> on the login screen, but when I try to login using the user
> name "admin" it is throwing the following error.
>
>
> "The system could not log you on. Make sure your user name and
> domain are correct, and then type your password again. Letters
> in passwords must be typed using the correct case."
>
> But the IPA (kerberos) server is issuing the tickets, the log
> shows:
>
> Dec 30 22:36:03 viji.testing.com <http://viji.testing.com>
> <http://viji.testing.com> krb5kdc[5179](info): AS_REQ (7
> etypes {23 -133 -128 3 1 24 -135}) 172.16.33.112
> <http://172.16.33.112>: NEEDED_PREAUTH: admin at TESTING.COM
> <mailto:admin at TESTING.COM> <mailto:admin at TESTING.COM
> <mailto:admin at TESTING.COM>> for krbtgt/TESTING.COM
> <http://TESTING.COM> <http://TESTING.COM>@TESTING.COM
> <http://TESTING.COM> <http://TESTING.COM>, Additional
> pre-authentication required
> Dec 30 22:36:03 viji.testing.com <http://viji.testing.com>
> <http://viji.testing.com> krb5kdc[5179](info): AS_REQ (3
> etypes {23 3 1}) 172.16.33.112 <http://172.16.33.112>: ISSUE:
> authtime 1230656763, etypes {rep=23 tkt=18 ses=23},
> admin at TESTING.COM <mailto:admin at TESTING.COM>
> <mailto:admin at TESTING.COM <mailto:admin at TESTING.COM>> for
> krbtgt/TESTING.COM <http://TESTING.COM>
> <http://TESTING.COM>@TESTING.COM <http://TESTING.COM>
> <http://TESTING.COM>
> Dec 30 22:36:03 viji.testing.com <http://viji.testing.com>
> <http://viji.testing.com> krb5kdc[5179](info): TGS_REQ (7
> etypes {23 -133 -128 3 1 24 -135}) 172.16.33.112
> <http://172.16.33.112>: ISSUE: authtime 1230656763, etypes
> {rep=23 tkt=18 ses=23}, admin at TESTING.COM
> <mailto:admin at TESTING.COM> <mailto:admin at TESTING.COM
> <mailto:admin at TESTING.COM>> for host/bmdata01.testing.com
> <http://bmdata01.testing.com>
> <http://bmdata01.testing.com>@TESTING.COM <http://TESTING.COM>
> <http://TESTING.COM>
>
>
> I have found some article on Microsoft website, saying this is
> a bug and apply the latest service pack (SP3), I even tried
> that, but no success.
>
> http://support.microsoft.com/kb/825081
>
> Similar Thread:
> http://mailman.mit.edu/pipermail/kerberos/2006-May/009890.html
>
> Thanks & Regards
>
> Viji
>
>
> On Mon, Dec 29, 2008 at 6:35 PM, Konstantin Kozlov
> <kozlov at spbcas.ru <mailto:kozlov at spbcas.ru>
> <mailto:kozlov at spbcas.ru <mailto:kozlov at spbcas.ru>>> wrote:
>
> Hi,
>
> You can search the list for a similar thread and here are
> the steps
> I've followed with success:
>
> Add host principal for winxp machine with the encoding
> des-cbc-crc
> and passowrd (-P ioption for ipa-getkeytab). Do not store this
> keytab in /etc/krb5.keytab but rather in some other file.
>
> Install MS Support Tools on WinXP, and run
>
> ksetup /setdomain ...
> ksetup /addkdc ...
> ksetup /setcomputerpassword ...
> ksetup /mapuser * <your user>
>
> WinXP machine asks to login to Kerberos realm at login screen.
>
> I failed to map one ipa-user to one win-user. But may be
> because I
> didn't have enough time. If you will succeed - leave a note
> here please.
>
> Best regards,
>
> Kostya
>
> Viji V Nair wrote:
>
> Hi,
>
> I am a new user of free-ipa, I have installed the free-ipa
> packages shipped with fedora 10. I have more that 100
> windows
> clients to authenticate. Here is my problem,
>
> All the clients are XP SP2, I have installed MIT
> Kerberos for
> Windows 3.2.2. Always the native windows login prompt
> appears
> first, when i login to windows the kerberos client is
> asking for
> authentication.
>
> I want to replace this windows authentication with kerberos
>
> Any help on the same will be greatly appreciated.
>
> Thanks
> Viji
>
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>
> <mailto:Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>>
>
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
> -- Konstantin Kozlov
> Department of Computational Biology,
> Center for Advanced Studies,
> SPb State Polytechnical University,
> 195251, Polytechnicheskaya ul., 29,
> bld 4, office 204,
> St.Petersburg, Russia.
>
> Tel./fax: +7 812 596 2831
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
> <mailto:Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>>
>
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
>
More information about the Freeipa-users
mailing list