[Freeipa-users] Antwort: Re: Once Again: Freeipa and Windows 7
Dmitri Pal
dpal at redhat.com
Mon Aug 1 14:58:57 UTC 2011
On 08/01/2011 10:29 AM, roland.kaeser at intersoft-networks.ch wrote:
> Hello
>
> >You might be confused with this feature. This password is used with
> ipa-client auto enroll so that one can join a client into the IPA
> domain. The OTP is used for the authentication in this scenario.
> >In your case you are not using the client so OTP is irrelevant.
> >We do not test Win 7 hosts as clients but we know that in the past
> some people had success with such configuration.
> >
> >First please search archives as there was an earlier attempt with
> freeipa 2.0 earlier this year. As I recall it was successful. And
> earlier attempt with 1.x was covered here:
> >http://freeipa.org/page/Implementing_FreeIPA_in_a_mixed_Environment_%28Windows/Linux%29_-_Step_by_step
>
> The steps described in my mail where exactly the steps documented in
> the link above where its written under "Configuring Windows Client":
> ------------------
> 3. On the IPA Server add the host principal and set the password for
> the xp client.
> ..
> ksetup /setmachpassword <password> (the same password you have set in
> IPA server)
> ------------------
>
> So this confuses me a lot more. Specially because the description in
> the discussed document just doesn't work. And, sorry to say that, it
> also says exactly the converse of what You wrote in Your mail.
> Also specially. When I use ipa-getkeytab as described in the document:
>
> ipa-getkeytab -s ds.example.com -p host/bmdata01.example.com -e
> des-cbc-crc -k krb5.keytab.txt -P
>
> I only get "SASL Bind failed!". So I only can create the host
> principal in the web interface. Then there is a kind of missing link
> between the exported keytab and what to do with it on the windows client.
>
> I wrote my mail only because I couldn't find any solution while
> googleing for it and also read the freeipa archives. The only thread I
> found in the archives regarding to Windows 7 and Freeipa was:
>
> _https://www.redhat.com/archives/freeipa-users/2011-February/msg00039.html_
>
> About the same question and ended in question from Simo about the
> installed krb5-package. I know its annoying with this windows
> questions but the most of us have to deal with mixed environments.
> Also Redhat has to deal with such environments for RHEV manager
> requires server 2008r2 and active directory (We currently make also a
> pilot for a larger VDI project). So it cannot be that this scenario
> (freeipa server and windows 7 clients) was never tested or documented
>
> As we (at our side) cannot change the customers desktop from windows
> to linux (cause there are already a lot of special applications which
> depends on a windows desktop), but we can choose the serverplatform
> and we wan't to have linux (specially rhel) as serverplatform and most
> desirable: freeipa as authentication and identity platform. But this
> can only work with a full integration of the windows clients into freeipa.
>
> Sorry for the hard mail but as I and My colleagues what to have Linux
> and opensource installed whenever possible, we face often the problem
> that the developers cannot see the problems and needs of us engineers
> and administrators in the front where where we deal with the
> heterogenous environments of our customers.
>
> So I hope somebody can post a final and working documentation about
> the windows 7 integration into freeipa. We realy depend on this.
>
> Regards
>
> Roland
Let me be fair and frank. We are not testing Windows clients with IPA.
It has been done successfully by different people in the community
several times and comments from them can be found in archive. Making
Windows clients work with IPA is a big challenge which we have not taken
on and do not plant to. The point is that in our opinion IPA would not
be able to replace AD for Windows clients. There are too many protocols
and specific properties that a Windows client expects from its DC. So
the solution can only be very limited and in most cases not acceptable.
So we think that the best approach to address the issue of Windows
clients is to have them in AD but let IPA be the DC for the Linux
servers. For the current version one can use synchronization of the user
accounts from AD to IPA. It is not perfect but this is best available at
the moment. We are actively working on a much better solution - Cross
Forest Kerberos trusts. Hopefully it will be available next year. That
feature would require users connecting from their desktops from AD
domain have a SSO with services in IPA domain. There are other use cases
too.
But back to your point about clients working with IPA. We do not know
about better info than the one we mentioned. There might be some MIT
documentation about how to join a Windows machine to MIT KDC. If this
can be done I am sure the same can be done with IPA.
>
>
>
>
>
>
> Von: Dmitri Pal <dpal at redhat.com>
> An: freeipa-users at redhat.com
> Datum: 01.08.2011 14:39
> Betreff: Re: [Freeipa-users] Once Again: Freeipa and Windows 7
> Gesendet von: freeipa-users-bounces at redhat.com
> ------------------------------------------------------------------------
>
>
>
> On 07/31/2011 04:44 AM, _roland.kaeser at intersoft-networks.ch_
> <mailto:roland.kaeser at intersoft-networks.ch>wrote:
> Hello
>
> I'm trying again to setup a pilot freeipa infrastructure for linux/afs
> servers and windows clients. So the first (and most hard) task is to
> join a "windows 7" into freeipa/kerberos.
> I already read the available documentation and setup my pilot client
> with the following parameters:
>
> ksetup /setdomain SAMPLE.CH
> ksetup /SetRealm SAMPLE.CH
> ksetup /AddKdc SAMPLE.CH freeipa.sample.ch
> ksetup /AddKpasswd SAMPLE.CH freeipa.sample.ch
> ksetup /SetComputerPassword MYPASSWORDHERE
> ksetup /MapUser * *
>
> Changed the available encryption types for kerberos in secpool.msc
> under Local Policies/Security Options/Network Security/Network
> Security: Configure encryption types allowed for Kerberos to:
> DES_CBC_CRC,DES_CBC_MD5,RC4_HMAC_MD5,AES128_HMAC_SHA1,AES256_HMAC_SHA1, Furter
> encryption types
>
> Created a host principal in the freeipa webinterface and set the OTP
> to MYPASSWORDHERE.
>
> You might be confused with this feature. This password is used with
> ipa-client auto enroll so that one can join a client into the IPA
> domain. The OTP is used for the authentication in this scenario.
> In your case you are not using the client so OTP is irrelevant.
> We do not test Win 7 hosts as clients but we know that in the past
> some people had success with such configuration.
>
> First please search archives as there was an earlier attempt with
> freeipa 2.0 earlier this year. As I recall it was successful. And
> earlier attempt with 1.x was covered here:_
> __http://freeipa.org/page/Implementing_FreeIPA_in_a_mixed_Environment_%28Windows/Linux%29_-_Step_by_step_
>
>
> The clock of the windows 7 machine is synced with the ntpd of the
> freeipa server.
>
> When I try to login I get the usual password change request dialog on
> the windows 7 client and the following krb5log entry:
>
> Jul 31 10:39:05 freeipa.sample.ch krb5kdc[6780](info): AS_REQ (7
> etypes {18 17 23 3 1 24 -135}) 192.168.1.90: CLIENT KEY EXPIRED:
> _isn-roland at SAMPLE.CH_ <mailto:isn-roland at SAMPLE.CH>for
> _krbtgt/SAMPLE.CH at SAMPLE.CH_ <mailto:krbtgt/SAMPLE.CH at SAMPLE.CH>,
> Password has expired
>
> When try to change the password I get only "The username or password
> is wrong" with the following krb5log entries:
>
> Jul 31 10:39:43 freeipa.sample.ch krb5kdc[6780](info): AS_REQ (7
> etypes {18 17 23 3 1 24 -135}) 192.168.1.90: NEEDED_PREAUTH:
> _isn-roland at SAMPLE.CH_ <mailto:isn-roland at SAMPLE.CH>for
> _kadmin/changepw at SAMPLE.CH_ <mailto:kadmin/changepw at SAMPLE.CH>,
> Additional pre-authentication required
> Jul 31 10:39:43 freeipa.sample.ch krb5kdc[6780](info): preauth
> (timestamp) verify failure: Decrypt integrity check failed
> Jul 31 10:39:43 freeipa.sample.ch krb5kdc[6780](info): AS_REQ (7
> etypes {18 17 23 3 1 24 -135}) 192.168.1.90: PREAUTH_FAILED:
> _isn-roland at SAMPLE.CH_ <mailto:isn-roland at SAMPLE.CH>for
> _kadmin/changepw at SAMPLE.CH_ <mailto:kadmin/changepw at SAMPLE.CH>,
> Decrypt integrity check failed
> Jul 31 10:39:43 freeipa.sample.ch krb5kdc[6780](info): preauth
> (timestamp) verify failure: Decrypt integrity check failed
> Jul 31 10:39:43 freeipa.sample.ch krb5kdc[6780](info): AS_REQ (7
> etypes {18 17 23 3 1 24 -135}) 192.168.1.90: PREAUTH_FAILED:
> _isn-roland at SAMPLE.CH_ <mailto:isn-roland at SAMPLE.CH>for
> _kadmin/changepw at SAMPLE.CH_ <mailto:kadmin/changepw at SAMPLE.CH>,
> Decrypt integrity check failed
>
> After long googeling and long investigation, I can't see the issue
> behind this problems.
>
> Does someone has setup a similar environment and give me some advice
> to get this up and running?
>
> Regards
>
> Roland
>
>
> _______________________________________________
> Freeipa-users mailing list
> _Freeipa-users at redhat.com_ <mailto:Freeipa-users at redhat.com>
> _https://www.redhat.com/mailman/listinfo/freeipa-users_
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IPA project,
> Red Hat Inc.
>
>
> -------------------------------
> Looking to carve out IT costs?
> _www.redhat.com/carveoutcosts/_ <http://www.redhat.com/carveoutcosts/>
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110801/c73b3d45/attachment.htm>
More information about the Freeipa-users
mailing list