[Freeipa-users] Windows Kerberos auth to IPA
Johan Venter
mythtv at vulturest.com
Mon Oct 13 23:52:18 UTC 2008
Simo Sorce wrote:
>> Please help me to get this to work, it's driving me nuts - there's no
>> errors anywhere and as far as I can see the Windows host is getting
>> issued the appropriate tickets.
>
> The krb5kdc output seem indeed all correct.
> Have you tested that the ipa-getkeytab binary generated a valid key ?
> I think I needed to fix a bug in the server to correctly generate a
> keytab when a password was specified. If you don't have this fix in the
> server you might get back a bogus ticket that cannot be verified.
Ok, I worked it out. By default the ipa-getkeytab is generating the host
principal keys in a bunch of different encryption formats, none of which
Windows supports.
So, by adding -e des-cbc-crc (from memory, not sure if that's exactly
right) to the ipa-getkeytab command line I got Windows to log in
immediately to the Kerberos realm.
Obviously, my group mapping requirements won't be solved any time soon,
but /mapuser * Administrator has given me 99% of the single sign on
requirement.
So to recap, if you want Windows to log into an IPA Kerberos realm,
generate keytabs with keys in less secure encryptions (yay, go Windows)
- no AES, no 3DES, Windows (at least Server 2003) does not support them.
Thanks for your help, Simo.
Johan.
More information about the Freeipa-users
mailing list