Hello > You might be confused with this feature. This password is used with ipa-client auto enroll so that one can join a client into the IPA domain. The OTP is used for the authentication in this scenario. > In your case you are not using the client so OTP is irrelevant. > We do not test Win 7 hosts as clients but we know that in the past some people had success with such configuration. > > First please search archives as there was an earlier attempt with freeipa 2.0 earlier this year. As I recall it was successful. And earlier attempt with 1.x was covered here: > http://freeipa.org/page/Implementing_FreeIPA_in_a_mixed_Environment_%28Windows/Linux%29_-_Step_by_step The steps described in my mail where exactly the steps documented in the link above where its written under "Configuring Windows Client": ------------------ <tt>3. On the IPA Server add the host principal and set the password for the xp client. ...</tt> <tt>ksetup /setmachpassword <password> (the same password you have set in IPA server) </tt>------------------<tt> </tt>So this confuses me a lot more. Specially because the description in the discussed document just doesn't work. And, sorry to say that, it also says exactly the converse of what You wrote in Your mail. Also specially. When I use ipa-getkeytab as described in the document: <tt> ipa-getkeytab -s ds.example.com -p host/bmdata01.example.com -e des-cbc-crc -k krb5.keytab.txt -P </tt> I only get "SASL Bind failed!". So I only can create the host principal in the web interface. Then there is a kind of missing link between the exported keytab and what to do with it on the windows client. I wrote my mail only because I couldn't find any solution while googleing for it and also read the freeipa archives. The only thread I found in the archives regarding to Windows 7 and Freeipa was: <a href="https://www.redhat.com/archives/freeipa-users/2011-February/msg00039.html">https://www.redhat.com/archives/freeipa-users/2011-February/msg00039.html</a> About the same question and ended in question from Simo about the installed krb5-package. I know its annoying with this windows questions but the most of us have to deal with mixed environments. Also Redhat has to deal with such environments for RHEV manager requires server 2008r2 and active directory (We currently make also a pilot for a larger VDI project). So it cannot be that this scenario (freeipa server and windows 7 clients) was never tested or documented As we (at our side) cannot change the customers desktop from windows to linux (cause there are already a lot of special applications which depends on a windows desktop), but we can choose the serverplatform and we wan't to have linux (specially rhel) as serverplatform and most desirable: freeipa as authentication and identity platform. But this can only work with a full integration of the windows clients into freeipa. Sorry for the hard mail but as I and My colleagues what to have Linux and opensource installed whenever possible, we face often the problem that the developers cannot see the problems and needs of us engineers and administrators in the front where where we deal with the heterogenous environments of our customers. So I hope somebody can post a final and working documentation about the windows 7 integration into freeipa. We realy depend on this. Regards Roland Von: Dmitri Pal <dpal@redhat.com> An: freeipa-users@redhat.com Datum: 01.08.2011 14:39 Betreff: Re: [Freeipa-users] Once Again: Freeipa and Windows 7 Gesendet von: freeipa-users-bounces@redhat.com <hr noshade> On 07/31/2011 04:44 AM, <a href="mailto:roland.kaeser@intersoft-networks.ch">roland.kaeser@intersoft-networks.ch</a> wrote: Hello I'm trying again to setup a pilot freeipa infrastructure for linux/afs servers and windows clients. So the first (and most hard) task is to join a "windows 7" into freeipa/kerberos. I already read the available documentation and setup my pilot client with the following parameters: ksetup /setdomain SAMPLE.CH ksetup /SetRealm SAMPLE.CH ksetup /AddKdc SAMPLE.CH freeipa.sample.ch ksetup /AddKpasswd SAMPLE.CH freeipa.sample.ch ksetup /SetComputerPassword MYPASSWORDHERE ksetup /MapUser * * Changed the available encryption types for kerberos in secpool.msc under Local Policies/Security Options/Network Security/Network Security: Configure encryption types allowed for Kerberos to: DES_CBC_CRC,DES_CBC_MD5,RC4_HMAC_MD5,AES128_HMAC_SHA1,AES256_HMAC_SHA1, Furter encryption types Created a host principal in the freeipa webinterface and set the OTP to MYPASSWORDHERE. You might be confused with this feature. This password is used with ipa-client auto enroll so that one can join a client into the IPA domain. The OTP is used for the authentication in this scenario. In your case you are not using the client so OTP is irrelevant. We do not test Win 7 hosts as clients but we know that in the past some people had success with such configuration. First please search archives as there was an earlier attempt with freeipa 2.0 earlier this year. As I recall it was successful. And earlier attempt with 1.x was covered here: <a href="http://freeipa.org/page/Implementing_FreeIPA_in_a_mixed_Environment_%28Windows/Linux%29_-_Step_by_step">http://freeipa.org/page/Implementing_FreeIPA_in_a_mixed_Environment_%28Windows/Linux%29_-_Step_by_step</a> The clock of the windows 7 machine is synced with the ntpd of the freeipa server. When I try to login I get the usual password change request dialog on the windows 7 client and the following krb5log entry: Jul 31 10:39:05 freeipa.sample.ch krb5kdc[6780](info): AS_REQ (7 etypes {18 17 23 3 1 24 -135}) 192.168.1.90: CLIENT KEY EXPIRED: <a href="mailto:isn-roland@SAMPLE.CH">isn-roland@SAMPLE.CH</a> for <a href=mailto:krbtgt/SAMPLE.CH@SAMPLE.CH>krbtgt/SAMPLE.CH@SAMPLE.CH</a>, Password has expired When try to change the password I get only "The username or password is wrong" with the following krb5log entries: Jul 31 10:39:43 freeipa.sample.ch krb5kdc[6780](info): AS_REQ (7 etypes {18 17 23 3 1 24 -135}) 192.168.1.90: NEEDED_PREAUTH: <a href="mailto:isn-roland@SAMPLE.CH">isn-roland@SAMPLE.CH</a> for <a href=mailto:kadmin/changepw@SAMPLE.CH>kadmin/changepw@SAMPLE.CH</a>, Additional pre-authentication required Jul 31 10:39:43 freeipa.sample.ch krb5kdc[6780](info): preauth (timestamp) verify failure: Decrypt integrity check failed Jul 31 10:39:43 freeipa.sample.ch krb5kdc[6780](info): AS_REQ (7 etypes {18 17 23 3 1 24 -135}) 192.168.1.90: PREAUTH_FAILED: <a href="mailto:isn-roland@SAMPLE.CH">isn-roland@SAMPLE.CH</a> for <a href=mailto:kadmin/changepw@SAMPLE.CH>kadmin/changepw@SAMPLE.CH</a>, Decrypt integrity check failed Jul 31 10:39:43 freeipa.sample.ch krb5kdc[6780](info): preauth (timestamp) verify failure: Decrypt integrity check failed Jul 31 10:39:43 freeipa.sample.ch krb5kdc[6780](info): AS_REQ (7 etypes {18 17 23 3 1 24 -135}) 192.168.1.90: PREAUTH_FAILED: <a href="mailto:isn-roland@SAMPLE.CH">isn-roland@SAMPLE.CH</a> for <a href=mailto:kadmin/changepw@SAMPLE.CH>kadmin/changepw@SAMPLE.CH</a>, Decrypt integrity check failed After long googeling and long investigation, I can't see the issue behind this problems. Does someone has setup a similar environment and give me some advice to get this up and running? Regards Roland <tt> _______________________________________________ Freeipa-users mailing list </tt><a href="mailto:Freeipa-users@redhat.com"><tt>Freeipa-users@redhat.com</tt></a><tt> </tt><a href="https://www.redhat.com/mailman/listinfo/freeipa-users"><tt>https://www.redhat.com/mailman/listinfo/freeipa-users</tt></a> <tt>-- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? </tt><a href=http://www.redhat.com/carveoutcosts/><tt>www.redhat.com/carveoutcosts/</tt></a><tt> </tt><tt>_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com </tt><a href="https://www.redhat.com/mailman/listinfo/freeipa-users"><tt>https://www.redhat.com/mailman/listinfo/freeipa-users</tt></a>