[Freeipa-users] Windows client
Simo Sorce
simo at redhat.com
Wed Feb 19 18:44:08 UTC 2014
On Wed, 2014-02-19 at 20:34 +0200, Alexander Bokovoy wrote:
> On Wed, 19 Feb 2014, Mauricio Tavares wrote:
> > When I added a windows 7 client (let's call it
> >windows.lan.domain.com), I had to go manually enter the domain (in
> >System Properties->Computer Name/Domain Changes->DNS Suffix and
> >netbios computer name) even though ipconfig would report it properly.
> >Otherwise, it would show in the kdc log file as windows$@DOMAIN.COM
> >instead of windows.lan.domain.com at DOMAIN.COM. Does anyone know why? I
> >know the realm and the domain names are not quite the same (domain has
> >a "lan" in it), but should that matter?
> Windows uses NetBIOS name$ as the machine name in TGT requests for the
> host.
>
> At this point we don't have means to correct this via IPA CLI. You need
> to use ldapmodify directly and add
>
> krbprincipalname: windows$DOMAIN.COM
> krbcanonicalname: HOST/windows.lan.domain.com at DOMAIN.COM
Note that 'host' here should be lower case.
Simo.
> to the host entry.
>
> KrbPrincipalName can have multiple values and if there are more than
> one, KrbCanonicalName should be set to the canonical version which is
> the original KrbPrincipalName in IPA.
>
>
> > On an unrelated note, in
> >http://www.freeipa.org/page/Windows_authentication_against_FreeIPA it
> >should be
> >
> >ksetup /addkpasswd
> >
> >not
> >
> >ksetup /addkpassword
> Corrected, thanks!
>
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-users
mailing list