[Freeipa-users] FreeIPA and Windows
Loris Santamaria
loris at lgs.com.ve
Tue Nov 10 18:32:56 UTC 2015
El mar, 10-11-2015 a las 11:18 -0700, Randolph Morgan escribió:
> I am certain that everyone gets tired of answering the same questions
> over and over, so maybe an update to the documentation would be
> better.
> I am trying to get my Windows machines to authenticate against a
> FreeIPA
> server running IPA 4.2+ on RHEL 7. I have followed the documentation
> listed on
> https://www.freeipa.org/page/Windows_authentication_against_FreeIPA,
> but
> there seems to be a few steps missing.
>
> In the Configure FreeIPA you are told to create a keytab for the
> Windows
> machine in question. After creating the keytab, what do you do with
> it? It jumps from creating the keytab to configuring Windows but
> does
> not say what to do with the keytab and the instructions never
> reference
> it again. Would someone please clarify this and is this something we
> would need to do for each and every Windows machine on our network?
Note that the ipa-getkeytab command is called with the -P option, so it
asks for a password: that password is used as a password for the
machine principal and is stored in the directory.
So no, the keytab is not really used anywhere else and can be deleted.
It is the act of generating (with a known password) it that needs to be
done for every windows machine in the network. Please use strong,
random and different passwords for each windows machine in the network.
--
Loris Santamaria linux user #70506 xmpp:loris at lgs.com.ve
Links Global Services, C.A. http://www.lgs.com.ve
Tel: 0286 952.06.87 Cel: 0414 095.00.10 sip:103 at lgs.com.ve
------------------------------------------------------------
"If I'd asked my customers what they wanted, they'd have said
a faster horse" - Henry Ford
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5693 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20151110/0ee9d81a/attachment.bin>
More information about the Freeipa-users
mailing list