[Freeipa-users] FreeIPA and Windows
Loris Santamaria
loris at lgs.com.ve
Wed Nov 11 00:54:02 UTC 2015
El mar, 10-11-2015 a las 16:15 -0700, Randolph Morgan escribió:
> Yes they are in the same DNS domain as the IPAserver. I am able to
> resolve the server address. Which side would you like more
> information
> on the server side or the client side. We are not running any AD
> domains, so this is not a Windows based system. We are running
> FreeIPA
> 4.2+ on RHEL 7.1 using the stock Samba from RHEL. On the client side
> I
> am running Windows 10 and I have installed MIT Kerberos version
> 4.01.
> In the MIT ticket manager I show a tgt and it works as it
> should. But
> from the command prompt in windows if I do a klist it reports:
> Current
> LogonId is 0:0x6320a
>
> Cached
> Tickets: (0)
>
> So even though MIT Kerberos shows a successful negotiation with IPA
> and
> a ticket is received, windows reports back the above when a klist is
> run.
I think that is the problem, you shouldn't use MIT kerberos.
The commands listed on the howto:
1. ksetup /setdomain [REALM NAME]
2. ksetup /addkdc [REALM NAME] [kdc DNS name]
3. ksetup /addkpasswd [REALM NAME] [kdc DNS name]
4. ksetup /setcomputerpassword [MACHINE_PASSWORD] (the one used above)
5. ksetup /mapuser * *
are meant to be run with windows native ksetup command. The native
windows kerberos libraries cannot see tickets obtained with MT
kerberos.
Best regards
> What I am trying to do is get the two to talk to each other, but I
> have not had any success as of yet. I have edited the krb5.ini with
> the
> correct information, and rebooted the machine multiple times with no
> change. Any help here would be really appreciated, we are taking
> this
> system live over the weekend and would really love to have this part
> fixed.
>
> Randy
>
> Randy Morgan
> CSR
> Department of Chemistry and Biochemistry
> Brigham Young University
> 801-422-4100
>
> On 11/10/2015 3:50 PM, Loris Santamaria wrote:
> > El mar, 10-11-2015 a las 11:51 -0700, Randolph Morgan escribió:
> > > Ok, that makes sense, but could we not just create the host in
> > > the
> > > IPA
> > > UI as part of the DNS?
> > That isn't enough, the dns object just maps to an ip address, you
> > have
> > to create a "host" object with ipa host-add, that object is needed
> > to
> > store kerberos principal and password for the host.
> >
> > > Also we seem to be having some difficulty with
> > > another part of the process, that is getting the Windows machines
> > > to
> > > even acknowledge that they have the ability to talk with the kdc.
> > > Following the commands yields only that the windows machine is
> > > unable
> > > to
> > > locate the kdc, are we missing something? Is this one of the
> > > issues
> > > related to different versions of Kerberos, e.g. MIT vs Heimdal.
> > You should check for dns inconsistencies first, are the windows
> > machines in the same dns domain as windows? Can they solve the
> > addresses of the ipa servers? If that doesn't help you should post
> > more
> > details of your setup...
> >
> > Best regards
> >
> >
> > > On 11/10/2015 11:32 AM, Loris Santamaria wrote:
> > > > El mar, 10-11-2015 a las 11:18 -0700, Randolph Morgan escribió:
> > > > > I am certain that everyone gets tired of answering the same
> > > > > questions
> > > > > over and over, so maybe an update to the documentation would
> > > > > be
> > > > > better.
> > > > > I am trying to get my Windows machines to authenticate
> > > > > against a
> > > > > FreeIPA
> > > > > server running IPA 4.2+ on RHEL 7. I have followed the
> > > > > documentation
> > > > > listed on
> > > > > https://www.freeipa.org/page/Windows_authentication_against_F
> > > > > reeI
> > > > > PA,
> > > > > but
> > > > > there seems to be a few steps missing.
> > > > >
> > > > > In the Configure FreeIPA you are told to create a keytab for
> > > > > the
> > > > > Windows
> > > > > machine in question. After creating the keytab, what do you
> > > > > do
> > > > > with
> > > > > it? It jumps from creating the keytab to configuring Windows
> > > > > but
> > > > > does
> > > > > not say what to do with the keytab and the instructions never
> > > > > reference
> > > > > it again. Would someone please clarify this and is this
> > > > > something we
> > > > > would need to do for each and every Windows machine on our
> > > > > network?
> > > > Note that the ipa-getkeytab command is called with the -P
> > > > option,
> > > > so it
> > > > asks for a password: that password is used as a password for
> > > > the
> > > > machine principal and is stored in the directory.
> > > >
> > > > So no, the keytab is not really used anywhere else and can be
> > > > deleted.
> > > > It is the act of generating (with a known password) it that
> > > > needs
> > > > to be
> > > > done for every windows machine in the network. Please use
> > > > strong,
> > > > random and different passwords for each windows machine in the
> > > > network.
> > > >
> > > >
>
--
Loris Santamaria linux user #70506 xmpp:loris at lgs.com.ve
Links Global Services, C.A. http://www.lgs.com.ve
Tel: 0286 952.06.87 Cel: 0414 095.00.10 sip:103 at lgs.com.ve
------------------------------------------------------------
"If I'd asked my customers what they wanted, they'd have said
a faster horse" - Henry Ford
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5693 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20151110/68602b6e/attachment.bin>
More information about the Freeipa-users
mailing list