[Freeipa-users] Windows Kerberos auth to IPA
Johan Venter
mythtv at vulturest.com
Thu Oct 9 00:19:57 UTC 2008
Hi all,
I would very much like to achieve with Windows what I have achieved on
Linux with IPA, namely:
- single sign-on
- access control
To achieve the first, I have been trying to figure out how to use
ksetup.exe from the Windows Support Tools installation on Windows Server
2003.
As I understand it, the only way to make this work is with a host
principal that has a usable password. I cannot find any way to add a
password to a service principal in IPA and all attempts at the command
line were thwarted:
- kadmin.local didn't let me do it because admin doesn't have
permission outside cn=kerberos and I shouldn't need to use kadmin.local
anyway
- ldappasswd wouldn't let me do it because service principals by
default in IPA do not have the appropriate objectClass (I figured this
was posixAccount but wasn't sure), and all attempts to add object
classes to a service principal using ldapmodify failed
I'm at a bit of a loss. It seems I need a password on the host principal
to make this work, but IPA is completely engineered to not allow that.
What should I do?
Also, if I ever get sign-on working, what can I do about access control?
In Linux I can use /etc/security/access.conf and sudoers to provide
reasonable access to only specific groups - I wonder how can I map my
sysadmins LDAP group to Administrator in Windows and will this will have
the same effect?
Any help would be greatly appreciated. I'm pulling out my hair on this one.
Thanks,
Johan
More information about the Freeipa-users
mailing list