[Freeipa-users] Windows Kerberos auth to IPA

Fri Oct 10 14:03:30 UTC 2008

On Fri, 2008-10-10 at 15:33 +1000, Johan Venter wrote:
> Johan Venter wrote:
> > Simo Sorce wrote:
> >> The latest ipa-getkeytab should allow you to specify a password.
> 
> > How would I go about getting this latest version (can I just update the 
> > one executable or do I have to find a way to update the whole of IPA?) 
> > onto a server so I can use ipa-getkeytab to give a host principal a 
> > password?
> 
> Ok, so I got recent source for ipa-getkeytab.c from Trac and 
> incorporated that into my RPM build. I read through the source and 
> didn't see that it required any special dependencies.
> 
> I used ipa-getkeytab like this to set the password for the host 
> principal of the Windows machine:
> 
> # ipa-getkeytab -s kdc.example.local -p host/windowshost.example.local 
> -k keys.txt -P
> 
> and set the password to 'password'.
> 
> On the Windows machine I issued:
> 
> ksetup /setdomain EXAMPLE.LOCAL
> ksetup /addkdc EXAMPLE.LOCAL kdc.example.local
> ksetup /setcomputerpassword password
> ksetup /mapuser * Administrator
> 
> Rebooted the Windows machine and tried to login with a Keberos user. In 
> the /var/log/krb5kdc.log on the IPA server I see:
> 
> Oct 10 15:18:09 kdc.example.local krb5kdc[26526](info): AS_REQ (7 etypes 
> {23 -133 -128 3 1 24 -135}) 172.17.16.16: NEEDED_PREAUTH: 
> testuser at EXAMPLE.LOCAL for krbtgt/EXAMPLE.LOCAL at EXAMPLE.LOCAL, 
> Additional pre-authentication required
> Oct 10 15:18:09 kdc.example.local krb5kdc[26526](info): AS_REQ (7 etypes 
> {23 -133 -128 3 1 24 -135}) 172.17.16.16: NEEDED_PREAUTH: 
> testuser at EXAMPLE.LOCAL for krbtgt/EXAMPLE.LOCAL at EXAMPLE.LOCAL, 
> Additional pre-authentication required
> Oct 10 15:18:09 kdc.example.local krb5kdc[26526](info): AS_REQ (3 etypes 
> {23 3 1}) 172.17.16.16: ISSUE: authtime 1223615889, etypes {rep=23 
> tkt=18 ses=23}, testuser at EXAMPLE.LOCAL for 
> krbtgt/EXAMPLE.LOCAL at EXAMPLE.LOCAL
> Oct 10 15:18:09 kdc.example.local krb5kdc[26526](info): AS_REQ (3 etypes 
> {23 3 1}) 172.17.16.16: ISSUE: authtime 1223615889, etypes {rep=23 
> tkt=18 ses=23}, testuser at EXAMPLE.LOCAL for 
> krbtgt/EXAMPLE.LOCAL at EXAMPLE.LOCAL
> Oct 10 15:18:09 kdc.example.local krb5kdc[26526](info): TGS_REQ (5 
> etypes {23 3 1 24 -135}) 172.17.16.16: ISSUE: authtime 1223615889, 
> etypes {rep=23 tkt=18 ses=23}, testuser at EXAMPLE.LOCAL for 
> host/windowshost.example.local at EXAMPLE.LOCAL
> Oct 10 15:18:09 kdc.example.local krb5kdc[26526](info): TGS_REQ (5 
> etypes {23 3 1 24 -135}) 172.17.16.16: ISSUE: authtime 1223615889, 
> etypes {rep=23 tkt=18 ses=23}, testuser at EXAMPLE.LOCAL for 
> host/windowshost.example.local at EXAMPLE.LOCAL
> 
> Which all looks good to me (obviously I'm not using example.local and 
> EXAMPLE.LOCAL, but I've modified the log output to protect my client), 
> but it refuses to log in. Windows reports "The system could not log you 
> on. Make sure your User name and domain are correct, then type your 
> password again. Letters in passwords must be typed using the correct case."
> 
> I have:
>   - checked that forward and reverse DNS is correct for all involved
>   - changed the user password a dozen times
>   - tried various different user mappings with ksetup
>   - ensured the Windows time is correct (NTP'ing to IPA server)
> 
> Please help me to get this to work, it's driving me nuts - there's no 
> errors anywhere and as far as I can see the Windows host is getting 
> issued the appropriate tickets.

The krb5kdc output seem indeed all correct.
Have you tested that the ipa-getkeytab binary generated a valid key ?
I think I needed to fix a bug in the server to correctly generate a
keytab when a password was specified. If you don't have this fix in the
server you might get back a bogus ticket that cannot be verified.

To test if the machine key is goo, just run:
kinit host/windowshost.example.local at EXAMPLE.LOCAL

And provide the password you set. If you get back a ticket that is good,
otherwise that's the problem.

Simo.