[Freeipa-users] Windows client
Alexander Bokovoy
abokovoy at redhat.com
Wed Feb 19 18:34:13 UTC 2014
On Wed, 19 Feb 2014, Mauricio Tavares wrote:
> When I added a windows 7 client (let's call it
>windows.lan.domain.com), I had to go manually enter the domain (in
>System Properties->Computer Name/Domain Changes->DNS Suffix and
>netbios computer name) even though ipconfig would report it properly.
>Otherwise, it would show in the kdc log file as windows$@DOMAIN.COM
>instead of windows.lan.domain.com at DOMAIN.COM. Does anyone know why? I
>know the realm and the domain names are not quite the same (domain has
>a "lan" in it), but should that matter?
Windows uses NetBIOS name$ as the machine name in TGT requests for the
host.
At this point we don't have means to correct this via IPA CLI. You need
to use ldapmodify directly and add
krbprincipalname: windows$DOMAIN.COM
krbcanonicalname: HOST/windows.lan.domain.com at DOMAIN.COM
to the host entry.
KrbPrincipalName can have multiple values and if there are more than
one, KrbCanonicalName should be set to the canonical version which is
the original KrbPrincipalName in IPA.
> On an unrelated note, in
>http://www.freeipa.org/page/Windows_authentication_against_FreeIPA it
>should be
>
>ksetup /addkpasswd
>
>not
>
>ksetup /addkpassword
Corrected, thanks!
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list