[Freeipa-users] Windows Clients
Jimmy
g17jimmy at gmail.com
Mon Feb 27 20:29:51 UTC 2012
Nope, I kept forgetting to re-post it. Here are the steps I used:
On FreeIPA:
i. create the host principal in the web interface
ii. create IPA users to correspond to windows users
iii. reset the user's IPA password to a known password using the web
interface, the user will be prompted to change at first log in. (is
there a default password or is this random? sorry if that's somewhere
else in docs and I missed it)
iv. on the IPA server run `ipa-getkeytab -s [kdc DNS name] -p
host/[machine-name] -e arcfour-hmac -k krb5.keytab.[machine-name] -P
configure windows ksetup:
i. ksetup /setdomain [REALM NAME]
ii. ksetup /addkdc [REALM NAME] [kdc DNS name]
iii. ksetup /addkpassword [REALM NAME] [kdc DNS name]
iv. ksetup /setcomputerpassword [PASSWORD]
v. ksetup /mapuser * *
vi. Run gpedit.msc. Under >Computer Configuration\Windows
Settings\Security Settings\Local Policies\Security Options open the
key called “Network Security: Configure encryption types allowed for
Kerberos” unselect everything except RC4_HMAC_MD5
vii. *** REBOOT ***
viii. log in as [user]@[REALM] with the initial password, you will be
prompted to change the password then logged in.
On Fri, Feb 24, 2012 at 8:33 AM, Nigel Sollars <nsollars at gmail.com> wrote:
> Hello,
>
> Ive been away for a little while, did I miss any posting of this
> information?.
>
> Thanks
> Nigel Sollars
>
>
> On Thu, Feb 9, 2012 at 9:51 AM, Jimmy <g17jimmy at gmail.com> wrote:
>
>> Yes, I'll find that and post it. I've been traveling for work the past
>> few weeks and haven't had it with me.
>>
>>
>> On Thu, Feb 9, 2012 at 8:25 AM, Nigel Sollars <nsollars at gmail.com> wrote:
>>
>>> Hi,
>>>
>>> Could you point me to the document please :).
>>>
>>> Thanks in advance.
>>>
>>>
>>> On Mon, Feb 6, 2012 at 1:34 PM, Jimmy <g17jimmy at gmail.com> wrote:
>>>
>>>> I am not making the windows systems part of an AD. I only need to
>>>> replicate users from an AD group to FreeIPA and I've had issues making that
>>>> work. I was working on that with a couple guys here on the list a couple
>>>> weeks ago but have been traveling so it's been hard to make time to work on
>>>> that.
>>>>
>>>> I submitted the doc to configure Win7 a while back but will look for it
>>>> and re-submit.
>>>>
>>>> Jimmy
>>>>
>>>> On Mon, Feb 6, 2012 at 12:24 PM, Dmitri Pal <dpal at redhat.com> wrote:
>>>>
>>>>> **
>>>>> On 02/06/2012 11:31 AM, Jimmy wrote:
>>>>>
>>>>> I don't think you have to put it anywhere, the ipa.getkeytab mainly
>>>>> sets the workstation password in freeipa. I keep the client keytabs in /etc
>>>>> (krb5.keytab.[clientname].)
>>>>>
>>>>> I have many Win7 and WinXP workstations authenticating but I'm still
>>>>> working on getting user/password sync working.
>>>>>
>>>>> Jimmy
>>>>>
>>>>>
>>>>> Jimmy,
>>>>>
>>>>> Are you using Windows systems directly with IPA or you make them a
>>>>> part of the AD domain and use winsync to sync data from AD to IPA?
>>>>> If you managed to setup Win7 directly with IPA please share how you
>>>>> have done this.
>>>>>
>>>>> Thanks
>>>>> Dmitri
>>>>>
>>>>>
>>>>>
>>>>> On Mon, Feb 6, 2012 at 10:39 AM, Nigel Sollars <nsollars at gmail.com>wrote:
>>>>>
>>>>>> Hi all,
>>>>>>
>>>>>> Quick question,
>>>>>>
>>>>>> I want to setup a Windows system to use my realm, ive followed the
>>>>>> prep list and created a simple arcfour-hmac krb5.keytab. The guide does
>>>>>> not mention where I place this keytab. I thought I would check before
>>>>>> running any of the ksetup commands.
>>>>>>
>>>>>> Also just for reference has anyone gotten Windows 7 / server 2008
>>>>>> authenticated? ( I guess that should also include server 2003 ).
>>>>>>
>>>>>> Thanks in advance
>>>>>>
>>>>>> Nigel Sollars
>>>>>>
>>>>>>
>>>>>> --
>>>>>> “Science is a differential equation. Religion is a boundary
>>>>>> condition.”
>>>>>>
>>>>>> Alan Turing
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Freeipa-users mailing list
>>>>>> Freeipa-users at redhat.com
>>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Freeipa-users mailing listFreeipa-users at redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Thank you,
>>>>> Dmitri Pal
>>>>>
>>>>> Sr. Engineering Manager IPA project,
>>>>> Red Hat Inc.
>>>>>
>>>>>
>>>>> -------------------------------
>>>>> Looking to carve out IT costs?www.redhat.com/carveoutcosts/
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Freeipa-users mailing list
>>>>> Freeipa-users at redhat.com
>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Freeipa-users mailing list
>>>> Freeipa-users at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>
>>>
>>>
>>>
>>> --
>>> “Science is a differential equation. Religion is a boundary condition.”
>>>
>>> Alan Turing
>>>
>>>
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>
>>
>>
>
>
> --
> “Science is a differential equation. Religion is a boundary condition.”
>
> Alan Turing
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20120227/5061e7a7/attachment.htm>
More information about the Freeipa-users
mailing list