[Freeipa-users] FreeIPA and Windows

David Kreitschmann david at kreitschmann.de
Wed Nov 11 02:28:44 UTC 2015 

If you use the MSLSA credential cache MIT kerberos works.
kinit -c MSLSA: user at REALM

Not sure about the MIT ticket manager.




Am 11.11.2015 um 01:54 schrieb Loris Santamaria <loris at lgs.com.ve>:
> 
> 
> El mar, 10-11-2015 a las 16:15 -0700, Randolph Morgan escribió:
>> Yes they are in the same DNS domain as the IPAserver.  I am able to 
>> resolve the server address.  Which side would you like more
>> information 
>> on the server side or the client side.  We are not running any AD 
>> domains, so this is not a Windows based system.  We are running
>> FreeIPA 
>> 4.2+ on RHEL 7.1 using the stock Samba from RHEL.  On the client side
>> I 
>> am running Windows 10 and I have installed MIT Kerberos version
>> 4.01.  
>> In the MIT ticket manager I show a tgt and it works as it
>> should.  But 
>> from the command prompt in windows if I do a klist it reports:
>>                                                              Current 
>> LogonId is 0:0x6320a
>> 
>>                                                              Cached 
>> Tickets: (0)
>> 
>> So even though MIT Kerberos shows a successful negotiation with IPA
>> and 
>> a ticket is received, windows reports back the above when a klist is 
>> run. 
> 
> I think that is the problem, you shouldn't use MIT kerberos.
> 
> The commands listed on the howto:
> 
> 1. ksetup /setdomain [REALM NAME]
> 2. ksetup /addkdc [REALM NAME] [kdc DNS name]
> 3. ksetup /addkpasswd [REALM NAME] [kdc DNS name]
> 4. ksetup /setcomputerpassword [MACHINE_PASSWORD] (the one used above)
> 5. ksetup /mapuser * *
> 
> are meant to be run with windows native ksetup command. The native
> windows kerberos libraries cannot see tickets obtained with MT
> kerberos.
> 
> Best regards
> 
> 
>>  What I am trying to do is get the two to talk to each other, but I 
>> have not had any success as of yet.  I have edited the krb5.ini with
>> the 
>> correct information, and rebooted the machine multiple times with no 
>> change.  Any help here would be really appreciated, we are taking
>> this 
>> system live over the weekend and would really love to have this part
>> fixed.
>> 
>> Randy
>> 
>> Randy Morgan
>> CSR
>> Department of Chemistry and Biochemistry
>> Brigham Young University
>> 801-422-4100
>> 
>> On 11/10/2015 3:50 PM, Loris Santamaria wrote:
>>> El mar, 10-11-2015 a las 11:51 -0700, Randolph Morgan escribió:
>>>> Ok, that makes sense, but could we not just create the host in
>>>> the
>>>> IPA
>>>> UI as part of the DNS?
>>> That isn't enough, the dns object just maps to an ip address, you
>>> have
>>> to create a "host" object with ipa host-add, that object is needed
>>> to
>>> store kerberos principal and password for the host.
>>> 
>>>> Also we seem to be having some difficulty with
>>>> another part of the process, that is getting the Windows machines
>>>> to
>>>> even acknowledge that they have the ability to talk with the kdc.
>>>> Following the commands yields only that the windows machine is
>>>> unable
>>>> to
>>>> locate the kdc, are we missing something?  Is this one of the
>>>> issues
>>>> related to different versions of Kerberos, e.g. MIT vs Heimdal.
>>> You should check for dns inconsistencies first, are the windows
>>> machines in the same dns domain as windows? Can they solve the
>>> addresses of the ipa servers? If that doesn't help you should post
>>> more
>>> details of your setup...
>>> 
>>> Best regards
>>> 
>>> 
>>>> On 11/10/2015 11:32 AM, Loris Santamaria wrote:
>>>>> El mar, 10-11-2015 a las 11:18 -0700, Randolph Morgan escribió:
>>>>>> I am certain that everyone gets tired of answering the same
>>>>>> questions
>>>>>> over and over, so maybe an update to the documentation would
>>>>>> be
>>>>>> better.
>>>>>> I am trying to get my Windows machines to authenticate
>>>>>> against a
>>>>>> FreeIPA
>>>>>> server running IPA 4.2+ on RHEL 7.  I have followed the
>>>>>> documentation
>>>>>> listed on
>>>>>> https://www.freeipa.org/page/Windows_authentication_against_F
>>>>>> reeI
>>>>>> PA,
>>>>>> but
>>>>>> there seems to be a few steps missing.
>>>>>> 
>>>>>> In the Configure FreeIPA you are told to create a keytab for
>>>>>> the
>>>>>> Windows
>>>>>> machine in question.  After creating the keytab, what do you
>>>>>> do
>>>>>> with
>>>>>> it?  It jumps from creating the keytab to configuring Windows
>>>>>> but
>>>>>> does
>>>>>> not say what to do with the keytab and the instructions never
>>>>>> reference
>>>>>> it again.  Would someone please clarify this and is this
>>>>>> something we
>>>>>> would need to do for each and every Windows machine on our
>>>>>> network?
>>>>> Note that the ipa-getkeytab command is called with the -P
>>>>> option,
>>>>> so it
>>>>> asks for a password: that password is used as a password for
>>>>> the
>>>>> machine principal and is stored in the directory.
>>>>> 
>>>>> So no, the keytab is not really used anywhere else and can be
>>>>> deleted.
>>>>> It is the act of generating (with a known password) it that
>>>>> needs
>>>>> to be
>>>>> done for every windows machine in the network. Please use
>>>>> strong,
>>>>> random and different passwords for each windows machine in the
>>>>> network.
>>>>> 
>>>>> 
>> 
> -- 
> Loris Santamaria   linux user #70506   xmpp:loris at lgs.com.ve
> Links Global Services, C.A.            http://www.lgs.com.ve
> Tel: 0286 952.06.87  Cel: 0414 095.00.10  sip:103 at lgs.com.ve
> ------------------------------------------------------------
> "If I'd asked my customers what they wanted, they'd have said
> a faster horse" - Henry Ford
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

More information about the Freeipa-users mailing list