[Freeipa-users] Windows Kerberos auth to IPA
Simo Sorce
ssorce at redhat.com
Fri Oct 10 14:03:30 UTC 2008
On Fri, 2008-10-10 at 15:33 +1000, Johan Venter wrote:
> Johan Venter wrote:
> > Simo Sorce wrote:
> >> The latest ipa-getkeytab should allow you to specify a password.
>
> > How would I go about getting this latest version (can I just update the
> > one executable or do I have to find a way to update the whole of IPA?)
> > onto a server so I can use ipa-getkeytab to give a host principal a
> > password?
>
> Ok, so I got recent source for ipa-getkeytab.c from Trac and
> incorporated that into my RPM build. I read through the source and
> didn't see that it required any special dependencies.
>
> I used ipa-getkeytab like this to set the password for the host
> principal of the Windows machine:
>
> # ipa-getkeytab -s kdc.example.local -p host/windowshost.example.local
> -k keys.txt -P
>
> and set the password to 'password'.
>
> On the Windows machine I issued:
>
> ksetup /setdomain EXAMPLE.LOCAL
> ksetup /addkdc EXAMPLE.LOCAL kdc.example.local
> ksetup /setcomputerpassword password
> ksetup /mapuser * Administrator
>
> Rebooted the Windows machine and tried to login with a Keberos user. In
> the /var/log/krb5kdc.log on the IPA server I see:
>
> Oct 10 15:18:09 kdc.example.local krb5kdc[26526](info): AS_REQ (7 etypes
> {23 -133 -128 3 1 24 -135}) 172.17.16.16: NEEDED_PREAUTH:
> testuser at EXAMPLE.LOCAL for krbtgt/EXAMPLE.LOCAL at EXAMPLE.LOCAL,
> Additional pre-authentication required
> Oct 10 15:18:09 kdc.example.local krb5kdc[26526](info): AS_REQ (7 etypes
> {23 -133 -128 3 1 24 -135}) 172.17.16.16: NEEDED_PREAUTH:
> testuser at EXAMPLE.LOCAL for krbtgt/EXAMPLE.LOCAL at EXAMPLE.LOCAL,
> Additional pre-authentication required
> Oct 10 15:18:09 kdc.example.local krb5kdc[26526](info): AS_REQ (3 etypes
> {23 3 1}) 172.17.16.16: ISSUE: authtime 1223615889, etypes {rep=23
> tkt=18 ses=23}, testuser at EXAMPLE.LOCAL for
> krbtgt/EXAMPLE.LOCAL at EXAMPLE.LOCAL
> Oct 10 15:18:09 kdc.example.local krb5kdc[26526](info): AS_REQ (3 etypes
> {23 3 1}) 172.17.16.16: ISSUE: authtime 1223615889, etypes {rep=23
> tkt=18 ses=23}, testuser at EXAMPLE.LOCAL for
> krbtgt/EXAMPLE.LOCAL at EXAMPLE.LOCAL
> Oct 10 15:18:09 kdc.example.local krb5kdc[26526](info): TGS_REQ (5
> etypes {23 3 1 24 -135}) 172.17.16.16: ISSUE: authtime 1223615889,
> etypes {rep=23 tkt=18 ses=23}, testuser at EXAMPLE.LOCAL for
> host/windowshost.example.local at EXAMPLE.LOCAL
> Oct 10 15:18:09 kdc.example.local krb5kdc[26526](info): TGS_REQ (5
> etypes {23 3 1 24 -135}) 172.17.16.16: ISSUE: authtime 1223615889,
> etypes {rep=23 tkt=18 ses=23}, testuser at EXAMPLE.LOCAL for
> host/windowshost.example.local at EXAMPLE.LOCAL
>
> Which all looks good to me (obviously I'm not using example.local and
> EXAMPLE.LOCAL, but I've modified the log output to protect my client),
> but it refuses to log in. Windows reports "The system could not log you
> on. Make sure your User name and domain are correct, then type your
> password again. Letters in passwords must be typed using the correct case."
>
> I have:
> - checked that forward and reverse DNS is correct for all involved
> - changed the user password a dozen times
> - tried various different user mappings with ksetup
> - ensured the Windows time is correct (NTP'ing to IPA server)
>
> Please help me to get this to work, it's driving me nuts - there's no
> errors anywhere and as far as I can see the Windows host is getting
> issued the appropriate tickets.
The krb5kdc output seem indeed all correct.
Have you tested that the ipa-getkeytab binary generated a valid key ?
I think I needed to fix a bug in the server to correctly generate a
keytab when a password was specified. If you don't have this fix in the
server you might get back a bogus ticket that cannot be verified.
To test if the machine key is goo, just run:
kinit host/windowshost.example.local at EXAMPLE.LOCAL
And provide the password you set. If you get back a ticket that is good,
otherwise that's the problem.
Simo.
More information about the Freeipa-users
mailing list