[Freeipa-users] Windows client

Petr Spacek pspacek at redhat.com
Wed Feb 19 19:48:04 UTC 2014 

On 19.2.2014 20:10, Mauricio Tavares wrote:
> On Wed, Feb 19, 2014 at 2:02 PM, Petr Spacek <pspacek at redhat.com> wrote:
>> On 19.2.2014 19:44, Simo Sorce wrote:
>>>
>>> On Wed, 2014-02-19 at 20:34 +0200, Alexander Bokovoy wrote:
>>>>
>>>> On Wed, 19 Feb 2014, Mauricio Tavares wrote:
>>>>>
>>>>>        When I added a windows 7 client (let's call it
>>>>> windows.lan.domain.com), I had to go manually enter the domain (in
>>>>> System Properties->Computer Name/Domain Changes->DNS Suffix and
>>>>> netbios computer name) even though ipconfig would report it properly.
>>>>> Otherwise, it would show in the kdc log file as windows$@DOMAIN.COM
>>>>> instead of windows.lan.domain.com at DOMAIN.COM. Does anyone know why? I
>>>>> know the realm and the domain names are not quite the same (domain has
>>>>> a "lan" in it), but should that matter?
>>>>
>>>> Windows uses NetBIOS name$ as the machine name in TGT requests for the
>>>> host.
>>>>
>>>> At this point we don't have means to correct this via IPA CLI. You need
>>>> to use ldapmodify directly and add
>>>>
>>>>       krbprincipalname: windows$DOMAIN.COM
>>>>       krbcanonicalname: HOST/windows.lan.domain.com at DOMAIN.COM
>>>
>>>
>>> Note that 'host' here should be lower case.
>>
>>
>> ... And please note that
>> http://www.freeipa.org/page/Windows_authentication_against_FreeIPA is an
>> option of last resort.
>>
>> Please use real trust between AD and IPA whenever possible:
>> http://www.freeipa.org/page/Trusts
>>
>        Would not having an AD server be eligible for the option of last resort?

Sure, when Samba 4 has an ability to create trust with IPA :-)

Seriously, if you have non-trivial network with Windows clients you really 
need something for managing them - most likely AD or Samba 4. Unfortunately, 
Samba 4 is not able to create trust with IPA right now.

Petr^2 Spacek

>>>> to the host entry.
>>>>
>>>> KrbPrincipalName can have multiple values and if there are more than
>>>> one, KrbCanonicalName should be set to the canonical version which is
>>>> the original KrbPrincipalName in IPA.
>>>>
>>>>
>>>>>        On an unrelated note, in
>>>>> http://www.freeipa.org/page/Windows_authentication_against_FreeIPA it
>>>>> should be
>>>>>
>>>>> ksetup /addkpasswd
>>>>>
>>>>> not
>>>>>
>>>>> ksetup /addkpassword
>>>>
>>>> Corrected, thanks!


-- 
Petr^2 Spacek

More information about the Freeipa-users mailing list