[Freeipa-users] Windows Kerberos auth to IPA

Fri Oct 10 00:26:52 UTC 2008

Simo Sorce wrote:
> On Thu, 2008-10-09 at 10:19 +1000, Johan Venter wrote:
>> I'm at a bit of a loss. It seems I need a password on the host principal 
>> to make this work, but IPA is completely engineered to not allow that. 
>> What should I do?
> 
> The latest ipa-getkeytab should allow you to specify a password.

Ok, that's great, however I'm not sure what I should do. I have 
configured IPA on a large number of CentOS servers by compiling RPMS 
from the RedHat SRPMS.

How would I go about getting this latest version (can I just update the 
one executable or do I have to find a way to update the whole of IPA?) 
onto a server so I can use ipa-getkeytab to give a host principal a 
password?

If there's a manual route I can take, that would be far preferable to 
updating all of these machines to the latest IPA that is not already in 
SRPMS - or are there more recent SRPMS I can compile from?

I apologise if these seem dumb questions, I'm quite new to IPA (and 
Kerberos/LDAP in general) and have made plenty of progress to the point 
where all the CentOS servers are working fine, just need to get over 
this hump with Windows.

>> Also, if I ever get sign-on working, what can I do about access control? 
>> In Linux I can use /etc/security/access.conf and sudoers to provide 
>> reasonable access to only specific groups - I wonder how can I map my 
>> sysadmins LDAP group to Administrator in Windows and will this will have 
>> the same effect?
> 
> You need to tweak user privileges, but this would be a per machine
> option. As all users and groups will be local to the windows machine.
> Windows do not have any way to get users from a remote server unless it
> is a Windows Domain Controller.

OK, as I understand ksetup I can map certain Kerberos users to local 
accounts on the Windows machine - what I would like achieve is some 
dynamic way to map a whole group to the local Administrator account as 
that would satisfy my current objective (that is, giving system 
administrators single sign on to Windows machines with the same username 
and password they use on the Linux servers) without having to map each 
user individually (as the members of the sysadmin group could change 
regularly).

I realise that a 'group' is really an LDAP construct and not a Kerberos 
one, but I'm truly hoping there is a way to do this.

Alternatively, am I going about this whole thing wrong? Is there a 
better way to achieve single sign-on through IPA infrastructure on 
Windows? Perhaps using Samba as a domain controller and authenticating 
through it?

It seems crazy to me that if I had an AD server I could happily get 
Windows to log in users that do not exist on the local machine with 
certain privileges, why can I not seem to achieve the same thing without AD?

Regards,
Johan