[Freeipa-users] FreeIPA and Windows
David Kreitschmann
david at kreitschmann.de
Wed Nov 11 02:28:44 UTC 2015
If you use the MSLSA credential cache MIT kerberos works.
kinit -c MSLSA: user at REALM
Not sure about the MIT ticket manager.
Am 11.11.2015 um 01:54 schrieb Loris Santamaria <loris at lgs.com.ve>:
>
>
> El mar, 10-11-2015 a las 16:15 -0700, Randolph Morgan escribió:
>> Yes they are in the same DNS domain as the IPAserver. I am able to
>> resolve the server address. Which side would you like more
>> information
>> on the server side or the client side. We are not running any AD
>> domains, so this is not a Windows based system. We are running
>> FreeIPA
>> 4.2+ on RHEL 7.1 using the stock Samba from RHEL. On the client side
>> I
>> am running Windows 10 and I have installed MIT Kerberos version
>> 4.01.
>> In the MIT ticket manager I show a tgt and it works as it
>> should. But
>> from the command prompt in windows if I do a klist it reports:
>> Current
>> LogonId is 0:0x6320a
>>
>> Cached
>> Tickets: (0)
>>
>> So even though MIT Kerberos shows a successful negotiation with IPA
>> and
>> a ticket is received, windows reports back the above when a klist is
>> run.
>
> I think that is the problem, you shouldn't use MIT kerberos.
>
> The commands listed on the howto:
>
> 1. ksetup /setdomain [REALM NAME]
> 2. ksetup /addkdc [REALM NAME] [kdc DNS name]
> 3. ksetup /addkpasswd [REALM NAME] [kdc DNS name]
> 4. ksetup /setcomputerpassword [MACHINE_PASSWORD] (the one used above)
> 5. ksetup /mapuser * *
>
> are meant to be run with windows native ksetup command. The native
> windows kerberos libraries cannot see tickets obtained with MT
> kerberos.
>
> Best regards
>
>
>> What I am trying to do is get the two to talk to each other, but I
>> have not had any success as of yet. I have edited the krb5.ini with
>> the
>> correct information, and rebooted the machine multiple times with no
>> change. Any help here would be really appreciated, we are taking
>> this
>> system live over the weekend and would really love to have this part
>> fixed.
>>
>> Randy
>>
>> Randy Morgan
>> CSR
>> Department of Chemistry and Biochemistry
>> Brigham Young University
>> 801-422-4100
>>
>> On 11/10/2015 3:50 PM, Loris Santamaria wrote:
>>> El mar, 10-11-2015 a las 11:51 -0700, Randolph Morgan escribió:
>>>> Ok, that makes sense, but could we not just create the host in
>>>> the
>>>> IPA
>>>> UI as part of the DNS?
>>> That isn't enough, the dns object just maps to an ip address, you
>>> have
>>> to create a "host" object with ipa host-add, that object is needed
>>> to
>>> store kerberos principal and password for the host.
>>>
>>>> Also we seem to be having some difficulty with
>>>> another part of the process, that is getting the Windows machines
>>>> to
>>>> even acknowledge that they have the ability to talk with the kdc.
>>>> Following the commands yields only that the windows machine is
>>>> unable
>>>> to
>>>> locate the kdc, are we missing something? Is this one of the
>>>> issues
>>>> related to different versions of Kerberos, e.g. MIT vs Heimdal.
>>> You should check for dns inconsistencies first, are the windows
>>> machines in the same dns domain as windows? Can they solve the
>>> addresses of the ipa servers? If that doesn't help you should post
>>> more
>>> details of your setup...
>>>
>>> Best regards
>>>
>>>
>>>> On 11/10/2015 11:32 AM, Loris Santamaria wrote:
>>>>> El mar, 10-11-2015 a las 11:18 -0700, Randolph Morgan escribió:
>>>>>> I am certain that everyone gets tired of answering the same
>>>>>> questions
>>>>>> over and over, so maybe an update to the documentation would
>>>>>> be
>>>>>> better.
>>>>>> I am trying to get my Windows machines to authenticate
>>>>>> against a
>>>>>> FreeIPA
>>>>>> server running IPA 4.2+ on RHEL 7. I have followed the
>>>>>> documentation
>>>>>> listed on
>>>>>> https://www.freeipa.org/page/Windows_authentication_against_F
>>>>>> reeI
>>>>>> PA,
>>>>>> but
>>>>>> there seems to be a few steps missing.
>>>>>>
>>>>>> In the Configure FreeIPA you are told to create a keytab for
>>>>>> the
>>>>>> Windows
>>>>>> machine in question. After creating the keytab, what do you
>>>>>> do
>>>>>> with
>>>>>> it? It jumps from creating the keytab to configuring Windows
>>>>>> but
>>>>>> does
>>>>>> not say what to do with the keytab and the instructions never
>>>>>> reference
>>>>>> it again. Would someone please clarify this and is this
>>>>>> something we
>>>>>> would need to do for each and every Windows machine on our
>>>>>> network?
>>>>> Note that the ipa-getkeytab command is called with the -P
>>>>> option,
>>>>> so it
>>>>> asks for a password: that password is used as a password for
>>>>> the
>>>>> machine principal and is stored in the directory.
>>>>>
>>>>> So no, the keytab is not really used anywhere else and can be
>>>>> deleted.
>>>>> It is the act of generating (with a known password) it that
>>>>> needs
>>>>> to be
>>>>> done for every windows machine in the network. Please use
>>>>> strong,
>>>>> random and different passwords for each windows machine in the
>>>>> network.
>>>>>
>>>>>
>>
> --
> Loris Santamaria linux user #70506 xmpp:loris at lgs.com.ve
> Links Global Services, C.A. http://www.lgs.com.ve
> Tel: 0286 952.06.87 Cel: 0414 095.00.10 sip:103 at lgs.com.ve
> ------------------------------------------------------------
> "If I'd asked my customers what they wanted, they'd have said
> a faster horse" - Henry Ford
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
More information about the Freeipa-users
mailing list