[Freeipa-users] Joining a Windows Workstation to an IPA realm (It works better than expected!)

Dmitri Pal dpal at redhat.com
Fri Sep 20 16:07:49 UTC 2013 

On 09/20/2013 11:01 AM, Alexander Bokovoy wrote:
> On Fri, 20 Sep 2013, Loris Santamaria wrote:
>> Hi all,
>>
>> yesterday I was going to try puppet on windows, so I fired up a Windows
>> 7 VM, and just for curiosity, instead of joining it to the AD realm, i
>> decided to try the instructions outlined in the wiki to join the machine
>> to the IPA realm:
>> http://www.freeipa.org/page/Windows_authentication_against_FreeIPA
>>
>> So I went with the instructions, on the windows Workstation.
>>
>> ksetup /setdomain [REALM NAME]
>> ksetup /addkdc [REALM NAME] [kdc DNS name]
>> ksetup /addkpassword [REALM NAME] [kdc DNS name]
>> ksetup /setcomputerpassword [MACHINE_PASSWORD] (the one used above)
>> ksetup /mapuser * *
>>
>> Next, the instructions tell you to create Windows local users
>> corresponding to the IPA kerberos realm users, because you know,
>> kerberos only does authentication and it can tell nothing to the windows
>> workstation about the identity of the user... However, just for kicks, I
>> rebooted the VM and _without creating any local user_ I tried to login
>> with myuser at IPA.REALM … And it worked! It created a profile directory,
>> showed my full name on the start menu. Then I tried to browse the web
>> and SSO with squid worked like a charm, SSO with putty worked and I even
>> logged in to the IPA administration page with my ticket.
>>
>> But it wasn't supposed to work without creating a local user... why it
>> was working then?
>>
>> Please notice this, the IPA realm has a trust with the AD realm, so
>> samba 4 is running on the IPA servers and every user in the IPA realm
>> has a SID assigned... and its ticket comes with a PAC, I think that is
>> the important part.
> Exactly. You actually don't need to create the trust, just run
> ipa-adtrust-install to make sure IPA's infrastructure is configured to
> issue SIDs and accept them.
>
>>
>> Finally, what worked and what don't:
>>
>>      * I was able to login on Win 7 with an IPA user and having a local
>>        profile created automatically
>>      * I was able to perform SSO authentication with IPA services
>>      * I was able to add my IPA user to the "Administrators" group in
>>        windows, with the NET LOCALGROUP command.
>>      * I couldn't add the IPA "admins" group to the "Administrators"
>>        group. With "NET LOCALGROUP Administrators IPA\admins /add" it
>>        tells me that it doesn't recognise the IPA\admins group.
> Right, because it doesn't know where to look up translation between
> IPA\admins string and SID as you haven't really configured Windows PC to
> be part of the domain and IPA domain doesn't provide services Windows PC
> expect to be there by default for resolving user/group to SIDs in Active
> Directory.
>
>>      * I couldn't add other IPA users to the Administrators group, only
>>        my logged in user.
> Same here.
>
>>      * I can't add IPA users to group with the graphical administration
>>        tools, they won't show the IPA realm, only the NET command
>>        worked somehow
> Same here. Windows UIs rely on AD global catalog service which we don't
> implement.
>
>
>> I'm investigating why Windows can't see IPA users and group other than
>> the currently logged in user, but I suspect that is simply because
>> Windows takes the logged in user SID from the PAC and it doesn't really
>> talk to samba4.
> Yep, only that it doesn't know where to talk as there is no proper
> service available.
>
>
Loris,

This is a great input! Thanks for investigation, it is really helpful!

Alexander,

So when we add GC support in IPA how would the picture change?


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the Freeipa-users mailing list