[Freeipa-users] Windows XP client can't login - Solved partially

Konstantin Kozlov kozlov at spbcas.ru
Tue Nov 25 09:14:04 UTC 2008 

Kozlov wrote:
> Simo Sorce пишет:
>> On Mon, 2008-11-24 at 14:44 +0300, Konstantin Kozlov wrote:
>>> Hello,
>>>
>>> I had not got any reply on the last post in
>>> https://www.redhat.com/archives/freeipa-users/2008-November/msg00004.html 
>>>
>>> so I start a new thread with more precise title.
>>>
>>> I have ipaserver 1.2 on Fedora 9 and ipaclient on CentOS 5 with 
>>> recompiled rpms from RHEL. I want to let an ipauser to login to 
>>> Windows XP box.
>>>
>>> Did anybody succeed in such a challenge?
>>>
>>> I have the host principal, I've set up the Kerberos on WinXP with
>>> ksetup, and got the key into krb5.keytab on ipaserver with password 
>>> and enctype des-cbc-crc. But WinXP can't log the ipauser in.
>>>
>>> I've tried rc4-hmac but it made no difference. I have a question
>>> concerning this - rc4-hmac is not listed neither in kdc.conf nor in ldap
>>> as supported enctype but ipa-getkeytab didn't show an error when I tried
>>> to use this enctype. Should I add rc4-hmac in kdc.conf or ldap entry or
>>> it is irrelevant as WinXP is also said to support des-cbc-crc?
>>>
>>> Thank you,
>>
>> I assume you also installed a GINA dll that can use the kerberos
>> libraris to perform a login ?
> 
> At what place GINA come to the scene?
> 
> Following the steps from another thread I've ran
> 
> ksetup /setdomain ...
> ksetup /addkdc ...
> ksetup /setcomputerpassword ...
> ksetup /mapuser ...
> 
> And WinXP asks for the login to Realm, kdc issues the ticket but WinXP 
> doesn't accept the password. I've mapped the ipauser to winxpuser, not 
> all to Administrator as in 
> https://www.redhat.com/archives/freeipa-users/2008-October/msg00006.html. 
> Can it be a problem?
> 

This was a problem :) I've mapped issued
ksetup /mapuser * User
and login now works.

klist shows tickets and tgt now.

But I can't access the samba share and ipa webui.

When I try to access samba share I get

Nov 25 11:40:32 hedgehog.bio.spbcas.ru krb5kdc[30198](info): TGS_REQ (7 
etypes {23 -133 -128 3 1 24 -135}) 10.10.1.201: UNKNOWN_SERVER: authtime 
1227602267,  kkozlov at BIO.SPBCAS.RU for cifs/hedgehog at BIO.SPBCAS.RU, 
Server not found in Kerberos database

in krb5kdc.log on ipaserver

and when I try webui (from Firefox  3.0.4 on WinXP after setting it up 
like on Linux with certificates and negotiation)

Nov 25 12:04:57 hedgehog.bio.spbcas.ru krb5kdc[30198](info): TGS_REQ (7 
etypes {23 -133 -128 3 1 24 -135}) 10.10.1.201: ISSUE: authtime 
1227602267, etypes {rep=23 tkt=18 ses=23}, kkozlov at BIO.SPBCAS.RU for 
HTTP/hedgehog.bio.spbcas.ru at BIO.SPBCAS.RU

and

Permission denied page.

I really need samba to work.

Kostya


>> Just setting up kerberos is not enough to allow a login.
>> At least for test des-cbc-crc shouldn't be a problem. It would be
>> certainly better to use something more strong in production , but one
>> step at a time :)
>>
>> For a start, does kinit work at all on the WinXP client ?
>>
> 
> Yes, 'kinit ipauser' accepts password, but klist doesn't show tickets.
> 
> Thanks for the help!
> 
> Kostya
> 
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>

More information about the Freeipa-users mailing list