[Freeipa-users] Trouble getting a windows computer to get a TGT from a linux FreeIPA server

Haiden, Scott B. Scott.Haiden at gd-ms.com
Mon Jul 6 15:53:51 UTC 2015 

Hello,

I have a KDC set up on a Linux virtual host, known as ldap.abc, which has a
FreeIPA server running on it. I am trying to get a TGT from it, from my
Windows 7 Enterprise machine. I am able to easily interact with it from other
Linux hosts, but I am not having any luck from the windows one.

I have installed MIT Kerberos Tools for windows on the windows computer. I
also copied over the /etc/krb5.conf file from a Linux host that is able to
contact it. It contains the following:

[libdefaults]
  default_realm = ABC
  dns_lookup_realm = false
  dns_lookup_kdc = false
  rdns = false
  ticket_lifetime = 24h
  forwardable = yes

[realms]
  PCS = {
    kdc = ldap.abc:88
    master_kdc = ldap.abc:88
    admin_server = ldap.abc:749
    default_domain = abc
    pkinit_anchors = FILE:H:\Kerberos\ca.crt
  }

[domain_realm]
  .abc = ABC
  abc = ABC

(Note that in the real file, I don't use "ABC" as the realm or domain but the
real value is something else).

I also copied over the ca.crt file and saved it to my windows machine, and
pointed the config file to it.

If I set the KRB5_CONFIG environment variable in a command prompt and run
`kinit username at ABC` (replacing username and ABC with my real username and
The real realm, obviously) I get only this inscrutable and undescriptive error:

    kinit: Invalid argument while getting initial credentials

I am wondering if it's a resolution issue brought on by proxying or something
related: To get to ldap.abc, I have to go through a proxy. Web browsers are
able to successfully navigate to it at https://ldap.abc but nslookup ldap.abc
fails.

Is this something that's even possible to do? Any pointers on where I should go
To look for documentation would be appreciated.

Thanks,
--Scott

-------------------------
The views expressed are the author's and do not necessarily reflect the official position of General Dynamics or any of its subsidiaries or the organization providing Internet access.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150706/517f51c1/attachment.htm>

More information about the Freeipa-users mailing list