[Freeipa-users] Pure Kerberos login on Windows stopped working
Simo Sorce
simo at redhat.com
Tue Nov 12 20:39:41 UTC 2013
On Tue, 2013-11-12 at 21:11 +0100, Nicklas Björk wrote:
> In our evironment we have very limited amount of shared virtual Windows
> 7 machines. We haven't really seen any value in setting up an AD domain
> for them, but have been relying on pure Kerberos authentication using
> the ksetup procedure
> (http://www.freeipa.org/page/Windows_authentication_against_FreeIPA).
>
> Recently the LDAP in our FreeIPA 3.0 was updated with the task to add
> SIDs to all old user accounts (the newer ones would already have a SID),
> but that made the Kerberos logon stop working for remote desktop
> connections. Logging on to the console using the same Kerberos
> credentials would still work... This seems to be directly related to the
> addition of SIDs in LDAP, as removing the object class ipantuserattrs
> and the SID would get it back in order again.
>
> Are there any known tricks that could be applied to the Windows machines
> (or to FreeIPA for that matter) that would make this work again?
It's odd that adding the SIDs make it not work, I remember reports of
people being happy to see it work better.
We do have a way to disable setting the MS-PAC on tickets, but I fear it
is only for TGS requests and not for the TGT.
Have you added SIDs because you are using a trust relationship with an
AD domain, and you just wish not to use them for these few Windows
machines ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-users
mailing list