[Freeipa-users] Windows XP client can't login

Konstantin Kozlov kozlov at spbcas.ru
Mon Nov 24 11:44:55 UTC 2008 

Hello,

I had not got any reply on the last post in
https://www.redhat.com/archives/freeipa-users/2008-November/msg00004.html
so I start a new thread with more precise title.

I have ipaserver 1.2 on Fedora 9 and ipaclient on CentOS 5 with 
recompiled rpms from RHEL. I want to let an ipauser to login to Windows 
XP box.

Did anybody succeed in such a challenge?

I have the host principal, I've set up the Kerberos on WinXP with
ksetup, and got the key into krb5.keytab on ipaserver with password and 
enctype des-cbc-crc. But WinXP can't log the ipauser in.

I've tried rc4-hmac but it made no difference. I have a question
concerning this - rc4-hmac is not listed neither in kdc.conf nor in ldap
as supported enctype but ipa-getkeytab didn't show an error when I tried
to use this enctype. Should I add rc4-hmac in kdc.conf or ldap entry or
it is irrelevant as WinXP is also said to support des-cbc-crc?

Thank you,

Kostya



Konstantin Kozlov wrote:
> Thank you for the help!
> 
> After another round of googling I've found that XP uses rc4-hmac...I'll 
> try that next day.
> 
> Johan Venter wrote:
>> Konstantin Kozlov wrote:
>>> Hello,
>>>
>>> Johan Venter wrote:
>>>> Konstantin Kozlov wrote:
>>>>> WinXP machine asks to login to Kerberos realm at login screen, but 
>>>>> doesn't let me in. The krb5 log file on IPA server shows that 
>>>>> ticket was issued. I can get ticket with MIT Kerberos from WinXP 
>>>>> machine but I can't access samba share.
>>>>
>>>> I had to add -e des-cbc-crc to the ipa-getkeytab command line I used 
>>>> to generate the Windows host principal and set the password before 
>>>> Windows login to the Kerberos realm would work.
>>>>
>>>> Windows XP/Server 2003 doesn't support useful encryption mechanisms.
>>>>
>>>
>>> I did that also and that didn't work. Do I need to install the keytab 
>>> on WinXP machine? If yes, how?
>>>
>>
>> Hmm .. I had to use the latest version of ipa-getkeytab (which 
>> supported the password option - I compiled my own RPMs for CentOS) and 
>> between that, then -e option and ksetup /setcomputerpassword it 
>> finally worked on my Windows Server 2003 machines.
>>
>> Maybe there is something different with XP machines, all I can suggest 
>> is try the different encryption types and see what works (DES 
>> generally, no AES or SHA hashes).
>>
>> Johan
>>
> 
> 


-- 
Konstantin Kozlov
Department of Computational Biology,
Center for Advanced Studies,
SPb State Polytechnical University,
195251, Polytechnicheskaya ul., 29,
bld 4, office 204,
St.Petersburg, Russia.

Tel./fax: +7 812 596 2831

More information about the Freeipa-users mailing list