[Freeipa-users] Windows client

Mauricio Tavares raubvogel at gmail.com
Wed Feb 19 19:10:01 UTC 2014 

On Wed, Feb 19, 2014 at 2:02 PM, Petr Spacek <pspacek at redhat.com> wrote:
> On 19.2.2014 19:44, Simo Sorce wrote:
>>
>> On Wed, 2014-02-19 at 20:34 +0200, Alexander Bokovoy wrote:
>>>
>>> On Wed, 19 Feb 2014, Mauricio Tavares wrote:
>>>>
>>>>       When I added a windows 7 client (let's call it
>>>> windows.lan.domain.com), I had to go manually enter the domain (in
>>>> System Properties->Computer Name/Domain Changes->DNS Suffix and
>>>> netbios computer name) even though ipconfig would report it properly.
>>>> Otherwise, it would show in the kdc log file as windows$@DOMAIN.COM
>>>> instead of windows.lan.domain.com at DOMAIN.COM. Does anyone know why? I
>>>> know the realm and the domain names are not quite the same (domain has
>>>> a "lan" in it), but should that matter?
>>>
>>> Windows uses NetBIOS name$ as the machine name in TGT requests for the
>>> host.
>>>
>>> At this point we don't have means to correct this via IPA CLI. You need
>>> to use ldapmodify directly and add
>>>
>>>      krbprincipalname: windows$DOMAIN.COM
>>>      krbcanonicalname: HOST/windows.lan.domain.com at DOMAIN.COM
>>
>>
>> Note that 'host' here should be lower case.
>
>
> ... And please note that
> http://www.freeipa.org/page/Windows_authentication_against_FreeIPA is an
> option of last resort.
>
> Please use real trust between AD and IPA whenever possible:
> http://www.freeipa.org/page/Trusts
>
      Would not having an AD server be eligible for the option of last resort?

> Have a nice day!
>
> Petr^2 Spacek
>
>
>>> to the host entry.
>>>
>>> KrbPrincipalName can have multiple values and if there are more than
>>> one, KrbCanonicalName should be set to the canonical version which is
>>> the original KrbPrincipalName in IPA.
>>>
>>>
>>>>       On an unrelated note, in
>>>> http://www.freeipa.org/page/Windows_authentication_against_FreeIPA it
>>>> should be
>>>>
>>>> ksetup /addkpasswd
>>>>
>>>> not
>>>>
>>>> ksetup /addkpassword
>>>
>>> Corrected, thanks!
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

More information about the Freeipa-users mailing list