[Freeipa-users] Windows clients problem

Konstantin Kozlov kozlov at spbcas.ru
Thu Nov 20 13:00:00 UTC 2008 

Hello,

I've run into other problems but now I am facing the same thing - WinXP 
can't log the ipauser in.

I have the host principal, I've set up the Kerberos on WinXP with 
ksetup, and got the key into krb5.keytab with password and enctype 
des-cbc-crc.

I've tried rc4-hmac but it made no difference. I have a question 
concerning this - rc4-hmac is not listed neither in kdc.conf nor in ldap 
as supported enctype but ipa-getkeytab didn't show an error when I tried 
to use this enctype. Should I add rc4-hmac in kdc.conf or ldap entry or 
it is irrelevant as WinXP is also said to support des-cbc-crc?

Thank you,

Kostya



Konstantin Kozlov wrote:
> Thank you for the help!
> 
> After another round of googling I've found that XP uses rc4-hmac...I'll 
> try that next day.
> 
> Johan Venter wrote:
>> Konstantin Kozlov wrote:
>>> Hello,
>>>
>>> Johan Venter wrote:
>>>> Konstantin Kozlov wrote:
>>>>> WinXP machine asks to login to Kerberos realm at login screen, but 
>>>>> doesn't let me in. The krb5 log file on IPA server shows that 
>>>>> ticket was issued. I can get ticket with MIT Kerberos from WinXP 
>>>>> machine but I can't access samba share.
>>>>
>>>> I had to add -e des-cbc-crc to the ipa-getkeytab command line I used 
>>>> to generate the Windows host principal and set the password before 
>>>> Windows login to the Kerberos realm would work.
>>>>
>>>> Windows XP/Server 2003 doesn't support useful encryption mechanisms.
>>>>
>>>
>>> I did that also and that didn't work. Do I need to install the keytab 
>>> on WinXP machine? If yes, how?
>>>
>>
>> Hmm .. I had to use the latest version of ipa-getkeytab (which 
>> supported the password option - I compiled my own RPMs for CentOS) and 
>> between that, then -e option and ksetup /setcomputerpassword it 
>> finally worked on my Windows Server 2003 machines.
>>
>> Maybe there is something different with XP machines, all I can suggest 
>> is try the different encryption types and see what works (DES 
>> generally, no AES or SHA hashes).
>>
>> Johan
>>
> 
> 


-- 
Konstantin Kozlov
Department of Computational Biology,
Center for Advanced Studies,
SPb State Polytechnical University,
195251, Polytechnicheskaya ul., 29,
bld 4, office 204,
St.Petersburg, Russia.

Tel./fax: +7 812 596 2831

More information about the Freeipa-users mailing list