[Freeipa-users] FreeIPA and Windows

Loris Santamaria loris at lgs.com.ve
Wed Nov 11 00:54:02 UTC 2015 

El mar, 10-11-2015 a las 16:15 -0700, Randolph Morgan escribió:
> Yes they are in the same DNS domain as the IPAserver.  I am able to 
> resolve the server address.  Which side would you like more
> information 
> on the server side or the client side.  We are not running any AD 
> domains, so this is not a Windows based system.  We are running
> FreeIPA 
> 4.2+ on RHEL 7.1 using the stock Samba from RHEL.  On the client side
> I 
> am running Windows 10 and I have installed MIT Kerberos version
> 4.01.  
> In the MIT ticket manager I show a tgt and it works as it
> should.  But 
> from the command prompt in windows if I do a klist it reports:
>                                                              Current 
> LogonId is 0:0x6320a
> 
>                                                              Cached 
> Tickets: (0)
> 
> So even though MIT Kerberos shows a successful negotiation with IPA
> and 
> a ticket is received, windows reports back the above when a klist is 
> run. 

I think that is the problem, you shouldn't use MIT kerberos.

The commands listed on the howto:

1. ksetup /setdomain [REALM NAME]
2. ksetup /addkdc [REALM NAME] [kdc DNS name]
3. ksetup /addkpasswd [REALM NAME] [kdc DNS name]
4. ksetup /setcomputerpassword [MACHINE_PASSWORD] (the one used above)
5. ksetup /mapuser * *

are meant to be run with windows native ksetup command. The native
windows kerberos libraries cannot see tickets obtained with MT
kerberos.

Best regards


>  What I am trying to do is get the two to talk to each other, but I 
> have not had any success as of yet.  I have edited the krb5.ini with
> the 
> correct information, and rebooted the machine multiple times with no 
> change.  Any help here would be really appreciated, we are taking
> this 
> system live over the weekend and would really love to have this part
> fixed.
> 
> Randy
> 
> Randy Morgan
> CSR
> Department of Chemistry and Biochemistry
> Brigham Young University
> 801-422-4100
> 
> On 11/10/2015 3:50 PM, Loris Santamaria wrote:
> > El mar, 10-11-2015 a las 11:51 -0700, Randolph Morgan escribió:
> > > Ok, that makes sense, but could we not just create the host in
> > > the
> > > IPA
> > > UI as part of the DNS?
> > That isn't enough, the dns object just maps to an ip address, you
> > have
> > to create a "host" object with ipa host-add, that object is needed
> > to
> > store kerberos principal and password for the host.
> > 
> > > Also we seem to be having some difficulty with
> > > another part of the process, that is getting the Windows machines
> > > to
> > > even acknowledge that they have the ability to talk with the kdc.
> > > Following the commands yields only that the windows machine is
> > > unable
> > > to
> > > locate the kdc, are we missing something?  Is this one of the
> > > issues
> > > related to different versions of Kerberos, e.g. MIT vs Heimdal.
> > You should check for dns inconsistencies first, are the windows
> > machines in the same dns domain as windows? Can they solve the
> > addresses of the ipa servers? If that doesn't help you should post
> > more
> > details of your setup...
> > 
> > Best regards
> > 
> > 
> > > On 11/10/2015 11:32 AM, Loris Santamaria wrote:
> > > > El mar, 10-11-2015 a las 11:18 -0700, Randolph Morgan escribió:
> > > > > I am certain that everyone gets tired of answering the same
> > > > > questions
> > > > > over and over, so maybe an update to the documentation would
> > > > > be
> > > > > better.
> > > > > I am trying to get my Windows machines to authenticate
> > > > > against a
> > > > > FreeIPA
> > > > > server running IPA 4.2+ on RHEL 7.  I have followed the
> > > > > documentation
> > > > > listed on
> > > > > https://www.freeipa.org/page/Windows_authentication_against_F
> > > > > reeI
> > > > > PA,
> > > > > but
> > > > > there seems to be a few steps missing.
> > > > > 
> > > > > In the Configure FreeIPA you are told to create a keytab for
> > > > > the
> > > > > Windows
> > > > > machine in question.  After creating the keytab, what do you
> > > > > do
> > > > > with
> > > > > it?  It jumps from creating the keytab to configuring Windows
> > > > > but
> > > > > does
> > > > > not say what to do with the keytab and the instructions never
> > > > > reference
> > > > > it again.  Would someone please clarify this and is this
> > > > > something we
> > > > > would need to do for each and every Windows machine on our
> > > > > network?
> > > > Note that the ipa-getkeytab command is called with the -P
> > > > option,
> > > > so it
> > > > asks for a password: that password is used as a password for
> > > > the
> > > > machine principal and is stored in the directory.
> > > > 
> > > > So no, the keytab is not really used anywhere else and can be
> > > > deleted.
> > > > It is the act of generating (with a known password) it that
> > > > needs
> > > > to be
> > > > done for every windows machine in the network. Please use
> > > > strong,
> > > > random and different passwords for each windows machine in the
> > > > network.
> > > > 
> > > > 
> 
-- 
Loris Santamaria   linux user #70506   xmpp:loris at lgs.com.ve
Links Global Services, C.A.            http://www.lgs.com.ve
Tel: 0286 952.06.87  Cel: 0414 095.00.10  sip:103 at lgs.com.ve
------------------------------------------------------------
"If I'd asked my customers what they wanted, they'd have said
a faster horse" - Henry Ford

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5693 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20151110/68602b6e/attachment.bin>

More information about the Freeipa-users mailing list