<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type"> </head> <body bgcolor="#ffffff" text="#000000"> On 08/01/2011 10:29 AM, <a class="moz-txt-link-abbreviated" href="mailto:roland.kaeser@intersoft-networks.ch">roland.kaeser@intersoft-networks.ch</a> wrote: <blockquote cite="mid:OF3C58FADF.320FF19F-ONC12578DF.004BB745-C12578DF.004F92BB@intersoft-networks.ch" type="cite">Hello > You might be confused with this feature. This password is used with ipa-client auto enroll so that one can join a client into the IPA domain. The OTP is used for the authentication in this scenario. > In your case you are not using the client so OTP is irrelevant. > We do not test Win 7 hosts as clients but we know that in the past some people had success with such configuration. > > First please search archives as there was an earlier attempt with freeipa 2.0 earlier this year. As I recall it was successful. And earlier attempt with 1.x was covered here: > <a class="moz-txt-link-freetext" href="http://freeipa.org/page/Implementing_FreeIPA_in_a_mixed_Environment_%28Windows/Linux%29_-_Step_by_step">http://freeipa.org/page/Implementing_FreeIPA_in_a_mixed_Environment_%28Windows/Linux%29_-_Step_by_step</a> The steps described in my mail where exactly the steps documented in the link above where its written under "Configuring Windows Client": ------------------ <tt>3. On the IPA Server add the host principal and set the password for the xp client. ..</tt> <tt>ksetup /setmachpassword <password> (the same password you have set in IPA server) </tt>------------------<tt> </tt>So this confuses me a lot more. Specially because the description in the discussed document just doesn't work. And, sorry to say that, it also says exactly the converse of what You wrote in Your mail. Also specially. When I use ipa-getkeytab as described in the document: <tt> ipa-getkeytab -s ds.example.com -p host/bmdata01.example.com -e des-cbc-crc -k krb5.keytab.txt -P </tt> I only get "SASL Bind failed!". So I only can create the host principal in the web interface. Then there is a kind of missing link between the exported keytab and what to do with it on the windows client. I wrote my mail only because I couldn't find any solution while googleing for it and also read the freeipa archives. The only thread I found in the archives regarding to Windows 7 and Freeipa was: <a moz-do-not-send="true" href="https://www.redhat.com/archives/freeipa-users/2011-February/msg00039.html">https://www.redhat.com/archives/freeipa-users/2011-February/msg00039.html</a> About the same question and ended in question from Simo about the installed krb5-package. I know its annoying with this windows questions but the most of us have to deal with mixed environments. Also Redhat has to deal with such environments for RHEV manager requires server 2008r2 and active directory (We currently make also a pilot for a larger VDI project). So it cannot be that this scenario (freeipa server and windows 7 clients) was never tested or documented As we (at our side) cannot change the customers desktop from windows to linux (cause there are already a lot of special applications which depends on a windows desktop), but we can choose the serverplatform and we wan't to have linux (specially rhel) as serverplatform and most desirable: freeipa as authentication and identity platform. But this can only work with a full integration of the windows clients into freeipa. Sorry for the hard mail but as I and My colleagues what to have Linux and opensource installed whenever possible, we face often the problem that the developers cannot see the problems and needs of us engineers and administrators in the front where where we deal with the heterogenous environments of our customers. So I hope somebody can post a final and working documentation about the windows 7 integration into freeipa. We realy depend on this. Regards Roland </blockquote> Let me be fair and frank. We are not testing Windows clients with IPA. It has been done successfully by different people in the community several times and comments from them can be found in archive. Making Windows clients work with IPA is a big challenge which we have not taken on and do not plant to. The point is that in our opinion IPA would not be able to replace AD for Windows clients. There are too many protocols and specific properties that a Windows client expects from its DC. So the solution can only be very limited and in most cases not acceptable. So we think that the best approach to address the issue of Windows clients is to have them in AD but let IPA be the DC for the Linux servers. For the current version one can use synchronization of the user accounts from AD to IPA. It is not perfect but this is best available at the moment. We are actively working on a much better solution - Cross Forest Kerberos trusts. Hopefully it will be available next year. That feature would require users connecting from their desktops from AD domain have a SSO with services in IPA domain. There are other use cases too. But back to your point about clients working with IPA. We do not know about better info than the one we mentioned. There might be some MIT documentation about how to join a Windows machine to MIT KDC. If this can be done I am sure the same can be done with IPA. <blockquote cite="mid:OF3C58FADF.320FF19F-ONC12578DF.004BB745-C12578DF.004F92BB@intersoft-networks.ch" type="cite"> Von: Dmitri Pal <a class="moz-txt-link-rfc2396E" href="mailto:dpal@redhat.com"><dpal@redhat.com></a> An: <a class="moz-txt-link-abbreviated" href="mailto:freeipa-users@redhat.com">freeipa-users@redhat.com</a> Datum: 01.08.2011 14:39 Betreff: Re: [Freeipa-users] Once Again: Freeipa and Windows 7 Gesendet von: <a class="moz-txt-link-abbreviated" href="mailto:freeipa-users-bounces@redhat.com">freeipa-users-bounces@redhat.com</a> <hr noshade="noshade"> On 07/31/2011 04:44 AM, <a moz-do-not-send="true" href="mailto:roland.kaeser@intersoft-networks.ch">roland.kaeser@intersoft-networks.ch</a> wrote: Hello I'm trying again to setup a pilot freeipa infrastructure for linux/afs servers and windows clients. So the first (and most hard) task is to join a "windows 7" into freeipa/kerberos. I already read the available documentation and setup my pilot client with the following parameters: ksetup /setdomain SAMPLE.CH ksetup /SetRealm SAMPLE.CH ksetup /AddKdc SAMPLE.CH freeipa.sample.ch ksetup /AddKpasswd SAMPLE.CH freeipa.sample.ch ksetup /SetComputerPassword MYPASSWORDHERE ksetup /MapUser * * Changed the available encryption types for kerberos in secpool.msc under Local Policies/Security Options/Network Security/Network Security: Configure encryption types allowed for Kerberos to: DES_CBC_CRC,DES_CBC_MD5,RC4_HMAC_MD5,AES128_HMAC_SHA1,AES256_HMAC_SHA1, Furter encryption types Created a host principal in the freeipa webinterface and set the OTP to MYPASSWORDHERE. You might be confused with this feature. This password is used with ipa-client auto enroll so that one can join a client into the IPA domain. The OTP is used for the authentication in this scenario. In your case you are not using the client so OTP is irrelevant. We do not test Win 7 hosts as clients but we know that in the past some people had success with such configuration. First please search archives as there was an earlier attempt with freeipa 2.0 earlier this year. As I recall it was successful. And earlier attempt with 1.x was covered here: <a moz-do-not-send="true" href="http://freeipa.org/page/Implementing_FreeIPA_in_a_mixed_Environment_%28Windows/Linux%29_-_Step_by_step">http://freeipa.org/page/Implementing_FreeIPA_in_a_mixed_Environment_%28Windows/Linux%29_-_Step_by_step</a> The clock of the windows 7 machine is synced with the ntpd of the freeipa server. When I try to login I get the usual password change request dialog on the windows 7 client and the following krb5log entry: Jul 31 10:39:05 freeipa.sample.ch krb5kdc[6780](info): AS_REQ (7 etypes {18 17 23 3 1 24 -135}) 192.168.1.90: CLIENT KEY EXPIRED: <a moz-do-not-send="true" href="mailto:isn-roland@SAMPLE.CH">isn-roland@SAMPLE.CH</a> for <a moz-do-not-send="true" href="mailto:krbtgt/SAMPLE.CH@SAMPLE.CH">krbtgt/SAMPLE.CH@SAMPLE.CH</a>, Password has expired When try to change the password I get only "The username or password is wrong" with the following krb5log entries: Jul 31 10:39:43 freeipa.sample.ch krb5kdc[6780](info): AS_REQ (7 etypes {18 17 23 3 1 24 -135}) 192.168.1.90: NEEDED_PREAUTH: <a moz-do-not-send="true" href="mailto:isn-roland@SAMPLE.CH">isn-roland@SAMPLE.CH</a> for <a moz-do-not-send="true" href="mailto:kadmin/changepw@SAMPLE.CH">kadmin/changepw@SAMPLE.CH</a>, Additional pre-authentication required Jul 31 10:39:43 freeipa.sample.ch krb5kdc[6780](info): preauth (timestamp) verify failure: Decrypt integrity check failed Jul 31 10:39:43 freeipa.sample.ch krb5kdc[6780](info): AS_REQ (7 etypes {18 17 23 3 1 24 -135}) 192.168.1.90: PREAUTH_FAILED: <a moz-do-not-send="true" href="mailto:isn-roland@SAMPLE.CH">isn-roland@SAMPLE.CH</a> for <a moz-do-not-send="true" href="mailto:kadmin/changepw@SAMPLE.CH">kadmin/changepw@SAMPLE.CH</a>, Decrypt integrity check failed Jul 31 10:39:43 freeipa.sample.ch krb5kdc[6780](info): preauth (timestamp) verify failure: Decrypt integrity check failed Jul 31 10:39:43 freeipa.sample.ch krb5kdc[6780](info): AS_REQ (7 etypes {18 17 23 3 1 24 -135}) 192.168.1.90: PREAUTH_FAILED: <a moz-do-not-send="true" href="mailto:isn-roland@SAMPLE.CH">isn-roland@SAMPLE.CH</a> for <a moz-do-not-send="true" href="mailto:kadmin/changepw@SAMPLE.CH">kadmin/changepw@SAMPLE.CH</a>, Decrypt integrity check failed After long googeling and long investigation, I can't see the issue behind this problems. Does someone has setup a similar environment and give me some advice to get this up and running? Regards Roland <tt> _______________________________________________ Freeipa-users mailing list </tt><a moz-do-not-send="true" href="mailto:Freeipa-users@redhat.com"><tt>Freeipa-users@redhat.com</tt></a><tt> </tt><a moz-do-not-send="true" href="https://www.redhat.com/mailman/listinfo/freeipa-users"><tt>https://www.redhat.com/mailman/listinfo/freeipa-users</tt></a> <tt>-- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? </tt><a moz-do-not-send="true" href="http://www.redhat.com/carveoutcosts/"><tt>www.redhat.com/carveoutcosts/</tt></a><tt> </tt><tt>_______________________________________________ Freeipa-users mailing list <a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> </tt><a moz-do-not-send="true" href="https://www.redhat.com/mailman/listinfo/freeipa-users"><tt>https://www.redhat.com/mailman/listinfo/freeipa-users</tt></a> <pre wrap=""> <fieldset class="mimeAttachmentHeader"></fieldset> _______________________________________________ Freeipa-users mailing list <a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a> <a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre> </blockquote> <pre class="moz-signature" cols="72">-- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? <a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a> </pre> </body> </html>