[Freeipa-users] LDAP authentication into FreeIPA

Simo Sorce simo at redhat.com
Wed Nov 16 14:25:50 UTC 2011 

On Tue, 2011-11-15 at 20:44 -0500, Jimmy wrote:
> I did supply this to the list at the middle of September, but will
> re-send. I know things get lost in the flow of emails/lists. 
> 
> ==============IPA and ksetup steps=================
> I can't find the technet article right now, but here's what I did
> that makes Win7(and xp, but xp doesn't need the gpedit step) work. 
> 
> 
> One note about this, I kept getting strange errors with any encryption
> besides rc4-hmac. For my situation I think it is suitable(a static
> environment once the systems are deployed,) but if others want to
> spend more time hacking on the system MS messed up, go for it ;). 
> 
> On FreeIPA:
> 
> i.    create the host principal in the web interface
> ii.   create IPA users to correspond to windows users
> iii.  reset the user's IPA password to a known password using the web
> interface, the user will be prompted to change at first log in.
> (is there a default password or is this random? sorry if that's
> somewhere else in docs and I missed it)
> iv.    on the IPA server run `ipa-getkeytab -s [kdc DNS name]
> -p host/[machine-name] -e  arcfour-hmac -k krb5.keytab.[machine-name]
> -P`  (enter the password that will be used in the
> `ksetup /secomputerpassword` below)
> 
> configure windows ksetup:
> 
> i.    ksetup /setdomain [REALM NAME]
> ii.    ksetup /addkdc [REALM NAME] [kdc DNS name]
> iii.    ksetup /addkpassword [REALM NAME] [kdc DNS name]
> iv.    ksetup /setcomputerpassword [PASSWORD]
> v.    ksetup /mapuser * *
> vi.   Run gpedit.msc. Under >Computer Configuration\Windows Settings
> \Security Settings\Local Policies\Security Options open the key called
> “Network Security: Configure encryption types allowed for Kerberos”
> unselect everything except RC4_HMAC_MD5 

Hi Jimmy and all,
at this year Kerberos Conference interop we found out what was causing
issues with AES and we have a patch in the master tree. This step will
hopefully not be necessary anymore quite soon.

Simo.


> vii.    *** REBOOT ***
> viii. log in as [user]@[REALM] with the initial password, you will be
> prompted to change the password then logged in.
> 


-- 
Simo Sorce * Red Hat, Inc * New York

More information about the Freeipa-users mailing list