[Freeipa-users] Windows XP client can't login - Solved partially
Konstantin Kozlov
kozlov at spbcas.ru
Tue Nov 25 09:14:04 UTC 2008
Kozlov wrote:
> Simo Sorce пишет:
>> On Mon, 2008-11-24 at 14:44 +0300, Konstantin Kozlov wrote:
>>> Hello,
>>>
>>> I had not got any reply on the last post in
>>> https://www.redhat.com/archives/freeipa-users/2008-November/msg00004.html
>>>
>>> so I start a new thread with more precise title.
>>>
>>> I have ipaserver 1.2 on Fedora 9 and ipaclient on CentOS 5 with
>>> recompiled rpms from RHEL. I want to let an ipauser to login to
>>> Windows XP box.
>>>
>>> Did anybody succeed in such a challenge?
>>>
>>> I have the host principal, I've set up the Kerberos on WinXP with
>>> ksetup, and got the key into krb5.keytab on ipaserver with password
>>> and enctype des-cbc-crc. But WinXP can't log the ipauser in.
>>>
>>> I've tried rc4-hmac but it made no difference. I have a question
>>> concerning this - rc4-hmac is not listed neither in kdc.conf nor in ldap
>>> as supported enctype but ipa-getkeytab didn't show an error when I tried
>>> to use this enctype. Should I add rc4-hmac in kdc.conf or ldap entry or
>>> it is irrelevant as WinXP is also said to support des-cbc-crc?
>>>
>>> Thank you,
>>
>> I assume you also installed a GINA dll that can use the kerberos
>> libraris to perform a login ?
>
> At what place GINA come to the scene?
>
> Following the steps from another thread I've ran
>
> ksetup /setdomain ...
> ksetup /addkdc ...
> ksetup /setcomputerpassword ...
> ksetup /mapuser ...
>
> And WinXP asks for the login to Realm, kdc issues the ticket but WinXP
> doesn't accept the password. I've mapped the ipauser to winxpuser, not
> all to Administrator as in
> https://www.redhat.com/archives/freeipa-users/2008-October/msg00006.html.
> Can it be a problem?
>
This was a problem :) I've mapped issued
ksetup /mapuser * User
and login now works.
klist shows tickets and tgt now.
But I can't access the samba share and ipa webui.
When I try to access samba share I get
Nov 25 11:40:32 hedgehog.bio.spbcas.ru krb5kdc[30198](info): TGS_REQ (7
etypes {23 -133 -128 3 1 24 -135}) 10.10.1.201: UNKNOWN_SERVER: authtime
1227602267, kkozlov at BIO.SPBCAS.RU for cifs/hedgehog at BIO.SPBCAS.RU,
Server not found in Kerberos database
in krb5kdc.log on ipaserver
and when I try webui (from Firefox 3.0.4 on WinXP after setting it up
like on Linux with certificates and negotiation)
Nov 25 12:04:57 hedgehog.bio.spbcas.ru krb5kdc[30198](info): TGS_REQ (7
etypes {23 -133 -128 3 1 24 -135}) 10.10.1.201: ISSUE: authtime
1227602267, etypes {rep=23 tkt=18 ses=23}, kkozlov at BIO.SPBCAS.RU for
HTTP/hedgehog.bio.spbcas.ru at BIO.SPBCAS.RU
and
Permission denied page.
I really need samba to work.
Kostya
>> Just setting up kerberos is not enough to allow a login.
>> At least for test des-cbc-crc shouldn't be a problem. It would be
>> certainly better to use something more strong in production , but one
>> step at a time :)
>>
>> For a start, does kinit work at all on the WinXP client ?
>>
>
> Yes, 'kinit ipauser' accepts password, but klist doesn't show tickets.
>
> Thanks for the help!
>
> Kostya
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
More information about the Freeipa-users
mailing list