Hi,<br>
<br>
Yes, my goal is to setup an Active Directory substitution, but not
looking for a complete AD replacement. I really don't want to use
windows active directory. In my organization around 60% of the users
are using Linux as their desktop, remaining 40% is on windows XP SP3.<br>
<br>
I want to setup single sign on using free IPA, I found the attached
document on the internet, so I tried to setup samba as a client to
freeIPA and autheticate windows clients to samba and samba to freeIPA.
(I tried this because I was struggling with windows to authenticate to
the kerberos)<br>
<br>
Please have a look at the attached document, I will try your suggestions and post the results. <br>
<br>
Wishing you all a Happy and peaceful NEW YEAR.<br>
<br>
Thanks & Regards<br>
Viji<br><br><div class="gmail_quote">On Wed, Dec 31, 2008 at 9:22 PM, Kozlov <span dir="ltr"><<a href="mailto:mackoel@gmail.com">mackoel@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Hi,<br>
<br>
I saw your posts on samba list :)<br>
Is your goal to make the Active Directory substitution?<br>
<br>
Samba3 + FreeIPA won't work that way. Look for explanations on freeipa-users list. You either need Samba4 or no kerberos on Windows.<br>
<br>
However, samba3 can be used with FreeIPA as File Sharing solution and will use Single Sign On when you'll managed to setup winxp for IPA.<div class="Ih2E3d"><br>
<br>
Best regards and Happy New Year!<br>
<br></div><div class="Ih2E3d">
Kostya<br>
<br>
Viji V Nair пишет:<br>
> Hi,<br>
><br></div>
> I have setup samba as a PDC with kerberos and ldap. While adding the windows<br>
> clients I get the following error message on the logs, and windows says the<br>
> user name and password is incorrect<br>
><br>
> [2008/12/31 19:00:09, 0] lib/util_sock.c:write_data(1059)<br>
> [2008/12/31 19:00:09, 0] lib/util_sock.c:get_peer_addr_internal(1607)<br>
> getpeername failed. Error was Transport endpoint is not connected<br>
> write_data: write failure in writing to client 0.0.0.0. Error Connection<br>
> reset by peer<br>
> [2008/12/31 19:00:09, 0] smbd/process.c:srv_send_smb(74)<br>
> Error writing 4 bytes to client. -1. (Transport endpoint is not connected)<br>
><br>
> Any help on the same will be gratly appreciated.<br>
><br>
> # rpm -qa |grep samba<br>
> samba-client-3.2.5-0.23.fc10.x86_64<br>
> samba-common-3.2.5-0.23.fc10.x86_64<br>
> samba-3.2.5-0.23.fc10.x86_64<br>
> samba-winbind-3.2.5-0.23.fc10.x86_64<br>
><br>
> # uname -a<br>
> Linux <a href="http://viji.testing.com" target="_blank">viji.testing.com</a> 2.6.27.7-134.fc10.x86_64 #1 SMP Mon Dec 1 22:21:35<br>
> EST 2008 x86_64 x86_64 x86_64 GNU/Linux<br>
><br>
> # cat /etc/samba/smb.conf<br>
> [global]<br>
> workgroup = <a href="http://TESTING.COM" target="_blank">TESTING.COM</a><br>
> server string = Samba Server Version %v<br>
> security = user<br>
> passdb backend = smbpasswd<br>
> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192<br>
> os level = 33<br>
> domain logons = yes<br>
> domain master = yes<br>
> local master = yes<br>
> preferred master = yes<br>
> wins support = yes<br>
> template shell = /bin/false<br>
> realm = <a href="http://TESTING.COM" target="_blank">TESTING.COM</a><br>
> use kerberos keytab = yes<br>
> load printers = yes<br>
> cups options = raw<br>
> # log level = 3 passdb:5 auth:10<br>
> [homes]<br>
> comment = Home Directories<br>
> browseable = no<br>
> writable = yes<br>
> [printers]<br>
> comment = All Printers<br>
> path = /var/spool/samba<br>
> browseable = no<br>
> guest ok = no<br>
> writable = no<br>
> printable = yes<br>
> [share]<br>
> comment = Share<br>
> path = /share<br>
> browseable = yes<br>
> guest ok = no<br>
> writable = yes<br>
> valid users = admin<br>
><br>
> Thanks<br>
> Viji<br>
<br>
<br>
<br>
Viji V Nair пишет:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Hi,<br>
<br><div class="Ih2E3d">
I have done the modifications as suggested, but no luck, getting the same error.<br>
<br>
# kinit admin<br></div>
# ipa-addservice host/<a href="http://bmdata01.testing.com" target="_blank">bmdata01.testing.com</a> <<a href="http://bmdata01.testing.com" target="_blank">http://bmdata01.testing.com</a>><br>
# ipa-getkeytab -s <a href="http://viji.testing.com" target="_blank">viji.testing.com</a> <<a href="http://viji.testing.com" target="_blank">http://viji.testing.com</a>> -p host/<a href="http://bmdata01.testing.com" target="_blank">bmdata01.testing.com</a> <<a href="http://bmdata01.testing.com" target="_blank">http://bmdata01.testing.com</a>> -k /etc/krb5.keytab<div class="Ih2E3d">
<br>
<br>
Could you please elaborate the steps which you have done to get it working on both the client and server side?<br>
<br>
Thanks<br>
Viji<br>
<br></div><div class="Ih2E3d">
On Tue, Dec 30, 2008 at 11:46 PM, Kozlov <<a href="mailto:mackoel@gmail.com" target="_blank">mackoel@gmail.com</a> <mailto:<a href="mailto:mackoel@gmail.com" target="_blank">mackoel@gmail.com</a>>> wrote:<br>
<br>
Hi,<br>
<br>
The minor comment is that kadmin is supposed to be substituted with<br>
ipa-addservice.<br>
<br>
The major comment is that you've missed ipa-getkeytab on ipaserver<br>
that actually SETS password that you then install on winxp.<br>
<br>
And try to map all users to one: for example,<br>
"* Administrator".<br>
<br>
Best regards,<br>
<br>
Kostya<br>
<br>
Viji V Nair пишет:<br>
<br>
Hi,<br>
<br>
Thank you for the information, I have tried all these steps, but<br>
no success<br>
<br>
1. On the IPA Server I have created a host principal using the<br>
following command.<br>
<br>
# kadmin -q "ank host/<a href="http://bmdata01.testing.com" target="_blank">bmdata01.testing.com</a><br></div>
<<a href="http://bmdata01.testing.com" target="_blank">http://bmdata01.testing.com</a>> <<a href="http://bmdata01.testing.com" target="_blank">http://bmdata01.testing.com</a>>"<div class="Ih2E3d">
<br>
<br>
<br>
2. On the windows xp client<br>
<br>
C:> ksetup /setrealm <a href="http://TESTING.COM" target="_blank">TESTING.COM</a> <<a href="http://TESTING.COM" target="_blank">http://TESTING.COM</a>><br>
<<a href="http://TESTING.COM" target="_blank">http://TESTING.COM</a>><br>
C:> ksetup /addkdc <a href="http://TESTING.COM" target="_blank">TESTING.COM</a> <<a href="http://TESTING.COM" target="_blank">http://TESTING.COM</a>><br>
<<a href="http://TESTING.COM" target="_blank">http://TESTING.COM</a>> <a href="http://viji.bigmaps.com" target="_blank">viji.bigmaps.com</a> <<a href="http://viji.bigmaps.com" target="_blank">http://viji.bigmaps.com</a>><br>
<<a href="http://viji.bigmaps.com" target="_blank">http://viji.bigmaps.com</a>><br>
C:> ksetup /setmachpassword <password><br>
C:> ksetup /mapuser <a href="mailto:admin@TESTING.COM" target="_blank">admin@TESTING.COM</a> <mailto:<a href="mailto:admin@TESTING.COM" target="_blank">admin@TESTING.COM</a>><br></div>
<mailto:<a href="mailto:admin@TESTING.COM" target="_blank">admin@TESTING.COM</a> <mailto:<a href="mailto:admin@TESTING.COM" target="_blank">admin@TESTING.COM</a>>> guest<div class="Ih2E3d"><br>
C:> ksetup /mapuser * *<br>
<br>
After the above setup windows is showing <a href="http://TESTING.COM" target="_blank">TESTING.COM</a><br></div>
<<a href="http://TESTING.COM" target="_blank">http://TESTING.COM</a>> <<a href="http://TESTING.COM" target="_blank">http://TESTING.COM</a>> as a Kerberos Realm on<div class="Ih2E3d"><br>
the login screen, but when I try to login using the user name<br>
"admin" it is throwing the following error.<br>
<br>
<br>
"The system could not log you on. Make sure your user name and<br>
domain are correct, and then type your password again. Letters<br>
in passwords must be typed using the correct case."<br>
<br>
But the IPA (kerberos) server is issuing the tickets, the log shows:<br>
<br>
Dec 30 22:36:03 <a href="http://viji.testing.com" target="_blank">viji.testing.com</a> <<a href="http://viji.testing.com" target="_blank">http://viji.testing.com</a>><br>
<<a href="http://viji.testing.com" target="_blank">http://viji.testing.com</a>> krb5kdc[5179](info): AS_REQ (7 etypes<br>
{23 -133 -128 3 1 24 -135}) 172.16.33.112<br>
<<a href="http://172.16.33.112" target="_blank">http://172.16.33.112</a>>: NEEDED_PREAUTH: <a href="mailto:admin@TESTING.COM" target="_blank">admin@TESTING.COM</a><br></div>
<mailto:<a href="mailto:admin@TESTING.COM" target="_blank">admin@TESTING.COM</a>> <mailto:<a href="mailto:admin@TESTING.COM" target="_blank">admin@TESTING.COM</a><div class="Ih2E3d"><br>
<mailto:<a href="mailto:admin@TESTING.COM" target="_blank">admin@TESTING.COM</a>>> for krbtgt/<a href="http://TESTING.COM" target="_blank">TESTING.COM</a><br></div>
<<a href="http://TESTING.COM" target="_blank">http://TESTING.COM</a>> <<a href="http://TESTING.COM" target="_blank">http://TESTING.COM</a>>@<a href="http://TESTING.COM" target="_blank">TESTING.COM</a><br>
<<a href="http://TESTING.COM" target="_blank">http://TESTING.COM</a>> <<a href="http://TESTING.COM" target="_blank">http://TESTING.COM</a>>, Additional<div class="Ih2E3d"><br>
pre-authentication required<br>
Dec 30 22:36:03 <a href="http://viji.testing.com" target="_blank">viji.testing.com</a> <<a href="http://viji.testing.com" target="_blank">http://viji.testing.com</a>><br>
<<a href="http://viji.testing.com" target="_blank">http://viji.testing.com</a>> krb5kdc[5179](info): AS_REQ (3 etypes<br>
{23 3 1}) 172.16.33.112 <<a href="http://172.16.33.112" target="_blank">http://172.16.33.112</a>>: ISSUE: authtime<br>
1230656763, etypes {rep=23 tkt=18 ses=23}, <a href="mailto:admin@TESTING.COM" target="_blank">admin@TESTING.COM</a><br></div>
<mailto:<a href="mailto:admin@TESTING.COM" target="_blank">admin@TESTING.COM</a>> <mailto:<a href="mailto:admin@TESTING.COM" target="_blank">admin@TESTING.COM</a><div class="Ih2E3d"><br>
<mailto:<a href="mailto:admin@TESTING.COM" target="_blank">admin@TESTING.COM</a>>> for krbtgt/<a href="http://TESTING.COM" target="_blank">TESTING.COM</a><br></div>
<<a href="http://TESTING.COM" target="_blank">http://TESTING.COM</a>> <<a href="http://TESTING.COM" target="_blank">http://TESTING.COM</a>>@<a href="http://TESTING.COM" target="_blank">TESTING.COM</a><br>
<<a href="http://TESTING.COM" target="_blank">http://TESTING.COM</a>> <<a href="http://TESTING.COM" target="_blank">http://TESTING.COM</a>><div class="Ih2E3d"><br>
Dec 30 22:36:03 <a href="http://viji.testing.com" target="_blank">viji.testing.com</a> <<a href="http://viji.testing.com" target="_blank">http://viji.testing.com</a>><br>
<<a href="http://viji.testing.com" target="_blank">http://viji.testing.com</a>> krb5kdc[5179](info): TGS_REQ (7 etypes<br>
{23 -133 -128 3 1 24 -135}) 172.16.33.112<br>
<<a href="http://172.16.33.112" target="_blank">http://172.16.33.112</a>>: ISSUE: authtime 1230656763, etypes<br>
{rep=23 tkt=18 ses=23}, <a href="mailto:admin@TESTING.COM" target="_blank">admin@TESTING.COM</a><br></div>
<mailto:<a href="mailto:admin@TESTING.COM" target="_blank">admin@TESTING.COM</a>> <mailto:<a href="mailto:admin@TESTING.COM" target="_blank">admin@TESTING.COM</a><div class="Ih2E3d"><br>
<mailto:<a href="mailto:admin@TESTING.COM" target="_blank">admin@TESTING.COM</a>>> for host/<a href="http://bmdata01.testing.com" target="_blank">bmdata01.testing.com</a><br>
<<a href="http://bmdata01.testing.com" target="_blank">http://bmdata01.testing.com</a>><br>
<<a href="http://bmdata01.testing.com" target="_blank">http://bmdata01.testing.com</a>>@<a href="http://TESTING.COM" target="_blank">TESTING.COM</a> <<a href="http://TESTING.COM" target="_blank">http://TESTING.COM</a>><br>
<<a href="http://TESTING.COM" target="_blank">http://TESTING.COM</a>><br>
<br>
<br>
I have found some article on Microsoft website, saying this is a<br>
bug and apply the latest service pack (SP3), I even tried that,<br>
but no success.<br>
<br>
<a href="http://support.microsoft.com/kb/825081" target="_blank">http://support.microsoft.com/kb/825081</a><br>
<br>
Similar Thread:<br>
<a href="http://mailman.mit.edu/pipermail/kerberos/2006-May/009890.html" target="_blank">http://mailman.mit.edu/pipermail/kerberos/2006-May/009890.html</a><br>
<br>
Thanks & Regards<br>
<br>
Viji<br>
<br>
<br>
On Mon, Dec 29, 2008 at 6:35 PM, Konstantin Kozlov<br>
<<a href="mailto:kozlov@spbcas.ru" target="_blank">kozlov@spbcas.ru</a> <mailto:<a href="mailto:kozlov@spbcas.ru" target="_blank">kozlov@spbcas.ru</a>><br></div><div><div></div><div class="Wj3C7c">
<mailto:<a href="mailto:kozlov@spbcas.ru" target="_blank">kozlov@spbcas.ru</a> <mailto:<a href="mailto:kozlov@spbcas.ru" target="_blank">kozlov@spbcas.ru</a>>>> wrote:<br>
<br>
Hi,<br>
<br>
You can search the list for a similar thread and here are the<br>
steps<br>
I've followed with success:<br>
<br>
Add host principal for winxp machine with the encoding<br>
des-cbc-crc<br>
and passowrd (-P ioption for ipa-getkeytab). Do not store this<br>
keytab in /etc/krb5.keytab but rather in some other file.<br>
<br>
Install MS Support Tools on WinXP, and run<br>
<br>
ksetup /setdomain ...<br>
ksetup /addkdc ...<br>
ksetup /setcomputerpassword ...<br>
ksetup /mapuser * <your user><br>
<br>
WinXP machine asks to login to Kerberos realm at login screen.<br>
<br>
I failed to map one ipa-user to one win-user. But may be<br>
because I<br>
didn't have enough time. If you will succeed - leave a note<br>
here please.<br>
<br>
Best regards,<br>
<br>
Kostya<br>
<br>
Viji V Nair wrote:<br>
<br>
Hi,<br>
<br>
I am a new user of free-ipa, I have installed the free-ipa<br>
packages shipped with fedora 10. I have more that 100 windows<br>
clients to authenticate. Here is my problem,<br>
<br>
All the clients are XP SP2, I have installed MIT Kerberos for<br>
Windows 3.2.2. Always the native windows login prompt appears<br>
first, when i login to windows the kerberos client is<br>
asking for<br>
authentication.<br>
<br>
I want to replace this windows authentication with kerberos<br>
<br>
Any help on the same will be greatly appreciated.<br>
<br>
Thanks<br>
Viji<br>
<br>
<br>
------------------------------------------------------------------------<br>
<br>
_______________________________________________<br>
Freeipa-users mailing list<br>
<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a><br>
<mailto:<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a>><br></div></div>
<mailto:<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a> <mailto:<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a>>><div class="Ih2E3d">
<br>
<br>
<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
<br>
<br>
<br>
-- Konstantin Kozlov<br>
Department of Computational Biology,<br>
Center for Advanced Studies,<br>
SPb State Polytechnical University,<br>
195251, Polytechnicheskaya ul., 29,<br>
bld 4, office 204,<br>
St.Petersburg, Russia.<br>
<br>
Tel./fax: +7 812 596 2831<br>
<br>
_______________________________________________<br>
Freeipa-users mailing list<br>
<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a> <mailto:<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a>><br></div>
<mailto:<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a> <mailto:<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a>>><div class="Ih2E3d">
<br>
<br>
<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
<br>
<br>
<br>
<br>
<br>
------------------------------------------------------------------------<br>
<br>
_______________________________________________<br>
Freeipa-users mailing list<br>
<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a><br>
</div><div class="Ih2E3d"><a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
</div></blockquote>
<br>
</blockquote></div><br>