[Freeipa-users] Windows XP client can't login
Konstantin Kozlov
kozlov at spbcas.ru
Mon Nov 24 11:44:55 UTC 2008
Hello,
I had not got any reply on the last post in
https://www.redhat.com/archives/freeipa-users/2008-November/msg00004.html
so I start a new thread with more precise title.
I have ipaserver 1.2 on Fedora 9 and ipaclient on CentOS 5 with
recompiled rpms from RHEL. I want to let an ipauser to login to Windows
XP box.
Did anybody succeed in such a challenge?
I have the host principal, I've set up the Kerberos on WinXP with
ksetup, and got the key into krb5.keytab on ipaserver with password and
enctype des-cbc-crc. But WinXP can't log the ipauser in.
I've tried rc4-hmac but it made no difference. I have a question
concerning this - rc4-hmac is not listed neither in kdc.conf nor in ldap
as supported enctype but ipa-getkeytab didn't show an error when I tried
to use this enctype. Should I add rc4-hmac in kdc.conf or ldap entry or
it is irrelevant as WinXP is also said to support des-cbc-crc?
Thank you,
Kostya
Konstantin Kozlov wrote:
> Thank you for the help!
>
> After another round of googling I've found that XP uses rc4-hmac...I'll
> try that next day.
>
> Johan Venter wrote:
>> Konstantin Kozlov wrote:
>>> Hello,
>>>
>>> Johan Venter wrote:
>>>> Konstantin Kozlov wrote:
>>>>> WinXP machine asks to login to Kerberos realm at login screen, but
>>>>> doesn't let me in. The krb5 log file on IPA server shows that
>>>>> ticket was issued. I can get ticket with MIT Kerberos from WinXP
>>>>> machine but I can't access samba share.
>>>>
>>>> I had to add -e des-cbc-crc to the ipa-getkeytab command line I used
>>>> to generate the Windows host principal and set the password before
>>>> Windows login to the Kerberos realm would work.
>>>>
>>>> Windows XP/Server 2003 doesn't support useful encryption mechanisms.
>>>>
>>>
>>> I did that also and that didn't work. Do I need to install the keytab
>>> on WinXP machine? If yes, how?
>>>
>>
>> Hmm .. I had to use the latest version of ipa-getkeytab (which
>> supported the password option - I compiled my own RPMs for CentOS) and
>> between that, then -e option and ksetup /setcomputerpassword it
>> finally worked on my Windows Server 2003 machines.
>>
>> Maybe there is something different with XP machines, all I can suggest
>> is try the different encryption types and see what works (DES
>> generally, no AES or SHA hashes).
>>
>> Johan
>>
>
>
--
Konstantin Kozlov
Department of Computational Biology,
Center for Advanced Studies,
SPb State Polytechnical University,
195251, Polytechnicheskaya ul., 29,
bld 4, office 204,
St.Petersburg, Russia.
Tel./fax: +7 812 596 2831
More information about the Freeipa-users
mailing list