[Freeipa-users] Windows Kerberos auth to IPA
Simo Sorce
ssorce at redhat.com
Thu Oct 9 09:21:27 UTC 2008
On Thu, 2008-10-09 at 10:19 +1000, Johan Venter wrote:
> Hi all,
>
> I would very much like to achieve with Windows what I have achieved on
> Linux with IPA, namely:
> - single sign-on
> - access control
>
> To achieve the first, I have been trying to figure out how to use
> ksetup.exe from the Windows Support Tools installation on Windows Server
> 2003.
>
> As I understand it, the only way to make this work is with a host
> principal that has a usable password. I cannot find any way to add a
> password to a service principal in IPA and all attempts at the command
> line were thwarted:
> - kadmin.local didn't let me do it because admin doesn't have
> permission outside cn=kerberos and I shouldn't need to use kadmin.local
> anyway
> - ldappasswd wouldn't let me do it because service principals by
> default in IPA do not have the appropriate objectClass (I figured this
> was posixAccount but wasn't sure), and all attempts to add object
> classes to a service principal using ldapmodify failed
>
> I'm at a bit of a loss. It seems I need a password on the host principal
> to make this work, but IPA is completely engineered to not allow that.
> What should I do?
The latest ipa-getkeytab should allow you to specify a password.
> Also, if I ever get sign-on working, what can I do about access control?
> In Linux I can use /etc/security/access.conf and sudoers to provide
> reasonable access to only specific groups - I wonder how can I map my
> sysadmins LDAP group to Administrator in Windows and will this will have
> the same effect?
You need to tweak user privileges, but this would be a per machine
option. As all users and groups will be local to the windows machine.
Windows do not have any way to get users from a remote server unless it
is a Windows Domain Controller.
Simo.
More information about the Freeipa-users
mailing list