[Freeipa-users] LDAP authentication into FreeIPA
Simo Sorce
simo at redhat.com
Wed Nov 16 14:25:50 UTC 2011
On Tue, 2011-11-15 at 20:44 -0500, Jimmy wrote:
> I did supply this to the list at the middle of September, but will
> re-send. I know things get lost in the flow of emails/lists.
>
> ==============IPA and ksetup steps=================
> I can't find the technet article right now, but here's what I did
> that makes Win7(and xp, but xp doesn't need the gpedit step) work.
>
>
> One note about this, I kept getting strange errors with any encryption
> besides rc4-hmac. For my situation I think it is suitable(a static
> environment once the systems are deployed,) but if others want to
> spend more time hacking on the system MS messed up, go for it ;).
>
> On FreeIPA:
>
> i. create the host principal in the web interface
> ii. create IPA users to correspond to windows users
> iii. reset the user's IPA password to a known password using the web
> interface, the user will be prompted to change at first log in.
> (is there a default password or is this random? sorry if that's
> somewhere else in docs and I missed it)
> iv. on the IPA server run `ipa-getkeytab -s [kdc DNS name]
> -p host/[machine-name] -e arcfour-hmac -k krb5.keytab.[machine-name]
> -P` (enter the password that will be used in the
> `ksetup /secomputerpassword` below)
>
> configure windows ksetup:
>
> i. ksetup /setdomain [REALM NAME]
> ii. ksetup /addkdc [REALM NAME] [kdc DNS name]
> iii. ksetup /addkpassword [REALM NAME] [kdc DNS name]
> iv. ksetup /setcomputerpassword [PASSWORD]
> v. ksetup /mapuser * *
> vi. Run gpedit.msc. Under >Computer Configuration\Windows Settings
> \Security Settings\Local Policies\Security Options open the key called
> “Network Security: Configure encryption types allowed for Kerberos”
> unselect everything except RC4_HMAC_MD5
Hi Jimmy and all,
at this year Kerberos Conference interop we found out what was causing
issues with AES and we have a patch in the master tree. This step will
hopefully not be necessary anymore quite soon.
Simo.
> vii. *** REBOOT ***
> viii. log in as [user]@[REALM] with the initial password, you will be
> prompted to change the password then logged in.
>
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-users
mailing list