[Freeipa-users] Trouble getting a windows computer to get a TGT from a linux FreeIPA server

Mon Jul 6 20:03:58 UTC 2015

Thanks Rob. Looking at that log file, it confirmed that it wasn't connecting to host successfully. After I set up a tunnel to the kdc it works like a charm.

Much appreciated,
--Scott

-----Original Message-----
From: Rob Crittenden [mailto:rcritten at redhat.com] 
Sent: Monday, July 06, 2015 10:58 AM
To: Haiden, Scott B.; freeipa-users at redhat.com
Subject: Re: [Freeipa-users] Trouble getting a windows computer to get a TGT from a linux FreeIPA server

Haiden, Scott B. wrote:
> Hello,
>
> I have a KDC set up on a Linux virtual host, known as ldap.abc, which 
> has a
>
> FreeIPA server running on it. I am trying to get a TGT from it, from 
> my
>
> Windows 7 Enterprise machine. I am able to easily interact with it 
> from other
>
> Linux hosts, but I am not having any luck from the windows one.
>
> I have installed MIT Kerberos Tools for windows on the windows 
> computer. I
>
> also copied over the /etc/krb5.conf file from a Linux host that is 
> able to
>
> contact it. It contains the following:
>
> [libdefaults]
>
>    default_realm = ABC
>
>    dns_lookup_realm = false
>
>    dns_lookup_kdc = false
>
>    rdns = false
>
>    ticket_lifetime = 24h
>
>    forwardable = yes
>
> [realms]
>
>    PCS = {
>
>      kdc = ldap.abc:88
>
>      master_kdc = ldap.abc:88
>
>      admin_server = ldap.abc:749
>
>      default_domain = abc
>
>      pkinit_anchors = FILE:H:\Kerberos\ca.crt
>
>    }
>
> [domain_realm]
>
>    .abc = ABC
>
>    abc = ABC
>
> (Note that in the real file, I don't use "ABC" as the realm or domain 
> but the
>
> real value is something else).
>
> I also copied over the ca.crt file and saved it to my windows machine, 
> and
>
> pointed the config file to it.
>
> If I set the KRB5_CONFIG environment variable in a command prompt and 
> run
>
> `kinit username at ABC` (replacing username and ABC with my real username 
> and
>
> The real realm, obviously) I get only this inscrutable and 
> undescriptive
> error:
>
>      kinit: Invalid argument while getting initial credentials
>
> I am wondering if it's a resolution issue brought on by proxying or 
> something
>
> related: To get to ldap.abc, I have to go through a proxy. Web 
> browsers are
>
> able to successfully navigate to it at https://ldap.abc but nslookup 
> ldap.abc
>
> fails.
>
> Is this something that's even possible to do? Any pointers on where I 
> should go
>
> To look for documentation would be appreciated.

It's been forever, probably 6 years, since I looked at MIT Kerberos on Windows, but I believe the client has some sort of auto-conifigure option where it will fetch the configuration from a server. The IPA server should be configured to provide this configuration (there were 3 files IIRC). You could try re-configuring using that.

Alternatively I'd start with /var/log/krb5kdc.log to see if it is getting to the KDC at all.

rob