[Freeipa-users] Ipa-client error (windows XP)

Konstantin Kozlov kozlov at spbcas.ru
Tue Mar 17 12:45:43 UTC 2009 

Hi,

mahen wrote:
> Hi,
> 
> Thanks a lot. It worked. Everything is fine now.
Great!
> 
> Can I have ADS type of effect for IPA-Server. I don't want to create
> local users or to map all IPA users to a single user.
> 
As you probably read already you can't get policies for "ou"'s. In IPAv1 
there is one policy and in v2 policies will be for groups, as I know.

The next step for IPA+winxp setup will be Samba 3: 
http://www.dlt.com/sr/PDF/redhat/Securing_Samba_with_IPA-1.0.pdf
It works for me.

The next part, i.e. making network users is said to be impossible though 
it may be possible by the following trick:

http://support.microsoft.com/kb/320043

The local test user is created but the path for home uses environment 
variable %username% that might be substituted with ipa username after 
login and hence different users mapped to a single one get different homes.

I didn't test that.

And map yourself to Administrator :)

As for software installations like in ADS look at http://wpkg.org/

Best regards,

Kostya

> Thanks...
> Mahendra
> 
> 
> On Tue, 2009-03-17 at 12:04 +0300, Konstantin Kozlov wrote:
>> Hi,
>>
>> reply to the list also.
>>
>> I am also on FC9 and with ipa 1.2.1 from yum. Have you installed the 
>> repo "updates new key"? Do that if no and update everything from there 
>> before ipa install. Also if possible install on FC10 or (FC11 Beta), or 
>> even CentOS 5, compiling ipa-server from source. It was reported that 
>> FC9->FC10 upgrade may brake LDAP database.
>>
>> Also, did you read the how to for windows on freeipa.org? And list 
>> archives - there were a couple of disscussions about winxp.
>>
>> mahen wrote:
>>> Hi,
>>> Thanks for quick reply.
>>>
>>> I think my IPA-Server is not supporting -P (password) switch with
>>> ipa-getkeytab.
>>>
>>> I have installed ipa-server through yum and it installed
>>> ipa-server-1.0.0-4.fc9.i386.
>>>
>>> Can I do this task with this version of IPA?
>>>
>>> Is there any easy way to upgrade ipa1.0 to ipa 1.2.
>>>
>> Look at the top of the letter for binaries. RPM does upgrade of other 
>> things, at least it did for me.
>>
>>> One more question. Is it required to keep the keytab file in windows
>>> system? If yes then where should I place this?
>> No, windows uses password instead (so keytab doesn't really matter).
>>
>> Best regards,
>>
>> Kostya
>>
>>> Thanks again..
>>> mahendra
>>>
>>> On Tue, 2009-03-17 at 11:01 +0300, Konstantin Kozlov wrote:
>>>> Hi,
>>>>
>>>> you've missed password stuff!
>>>>
>>>> mahen wrote:
>>>>> Hi,
>>>>> I am using IPA-Server on FC9.
>>>>>
>>>>> I am trying to log in to ipa server through windows xp(as client). If it
>>>>> is a new user in ipa-server, windows xp asks me to change the password
>>>>> and change happens successfully but xp fails to login. It give error
>>>>> message saying...
>>>>> "Windows cannot connect to the domain, either because the domain
>>>>> controller is down or otherwise unavailable, or because your computer
>>>>> account was not found."
>>>>>
>>>>> Step-by-Step Procedure followed ( in IPA-Server)
>>>>> 1. ipa-addservice host/client.example.com)
>>>>> 2. ipa-getkeytab -s server.example.com  -p host/client.example.com -e
>>>>> des-cbc-crc -k krb5.keytab.txt
>>>>>
>>>>> IN Windows XP
>>>>> 1. ksetup /setrealm EXAMPLE.COM
>>>>> 2. ksetup /addkdc EXAMPLE.COM server.example.com
>>>>> 3. ksetup /setmachpassword <password> (I dont know why this is used. since all my passwords are same it can match to any user)
>>>> This machine password not user password. It is set up on ipa-server in 
>>>> step 2 as:
>>>>
>>>> ipa-getkeytab -s server.example.com  -p host/client.example.com -e 
>>>> des-cbc-crc -k krb5.keytab.txt -P <password>
>>>>
>>>>> 4. ksetup /mapuser * ipauser
>>>>>
>>>> Mapping individula users works if you name him ipauser at EXAMPLE.COM.
>>>>
>>>> Best regards,
>>>>
>>>> Kostya
>>>>
>>>>> Thanks..
>>>>> Mahendra
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Freeipa-users mailing list
>>>>> Freeipa-users at redhat.com
>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>
>>>
>>
> 
> 


-- 
Konstantin Kozlov
Department of Computational Biology,
Center for Advanced Studies,
SPb State Polytechnical University,
195251, Polytechnicheskaya ul., 29,
bld 4, office 204,
St.Petersburg, Russia.

Tel./fax: +7 812 596 2831

More information about the Freeipa-users mailing list