I did supply this to the list at the middle of September, but will re-send. I know things get lost in the flow of emails/lists.
==============IPA and ksetup steps================= I can't find the technet article right now, but here's what I did that makes Win7(and xp, but xp doesn't need the gpedit step) work. One note about this, I kept getting strange errors with any encryption besides rc4-hmac. For my situation I think it is suitable(a static environment once the systems are deployed,) but if others want to spend more time hacking on the system MS messed up, go for it ;). On FreeIPA: i. create the host principal in the web interface ii. create IPA users to correspond to windows users iii. reset the user's IPA password to a known password using the web interface, the user will be prompted to change at first log in. (is there a default password or is this random? sorry if that's somewhere else in docs and I missed it) iv. on the IPA server run `ipa-getkeytab -s [kdc DNS name] -p host/[machine-name] -e arcfour-hmac -k krb5.keytab.[machine-name] -P` (enter the password that will be used in the `ksetup /secomputerpassword` below) configure windows ksetup: i. ksetup /setdomain [REALM NAME] ii. ksetup /addkdc [REALM NAME] [kdc DNS name] iii. ksetup /addkpassword [REALM NAME] [kdc DNS name] iv. ksetup /setcomputerpassword [PASSWORD] v. ksetup /mapuser * * vi. Run gpedit.msc. Under >Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options open the key called “Network Security: Configure encryption types allowed for Kerberos” unselect everything except RC4_HMAC_MD5 vii. *** REBOOT *** viii. log in as [user]@[REALM] with the initial password, you will be prompted to change the password then logged in. On Tue, Nov 15, 2011 at 6:32 PM, Dmitri Pal <[email protected]> wrote: > ** > On 11/15/2011 04:01 PM, Jimmy wrote: > > I know the Windows systems don't have full integration with FreeIPA, but I > have Windows systems authenticating to FreeIPA the same as they would to a > regular MIT Kerberos system. The are not using the same config that is > posted on the FreeIPA website where the IPA users are mapped to a single > workstation user. > > > Would you mind sharing your configuration and steps with us? > > > Thank you > Dmitri > > > Jimmy > > On Tue, Nov 15, 2011 at 3:40 PM, Steven Jones <[email protected]>wrote: > >> Hi, >> >> I dont think there is much realistic hope of getting windows to >> authenticate to freeIPA......the others should be able to and the fedora >> docs on the freeipa documentation web page list a specific method for macs >> for one (but I have not tried it yet, but I will be)....ubuntu has been >> mentioned before....I have to try/do that as well.... >> >> Siggi sent me some notes a while back, >> >> ============= >> >> Ubuntu client install >> >> >> https://help.ubuntu.com/10.04/serverguide/C/kerberos.html >> >> >> sudo apt-get install krb5-user libpam-krb5 libpam-ccreds >> auth-client-config >> >> >> maybe also need libpam-ldap libnss-ldap >> >> >> Use ipa-getkeytab on a IPA server to retrieve the keytab for the host, >> and copy this to /etc/krb5.keytab on the Ubuntu client. >> >> [root@ipa1 ~]# ipa-getkeytab -s ipa1.ix.test.com -p host/ >> ubuntu-client.ix.test.com -k /tmp/buntuclient_krb5.keytab >> >> If you prefer you can use something like CFengine to automate the whole >> process. >> >> ============= >> >> Hope that helps............. >> >> >> regards >> >> Steven Jones >> >> Technical Specialist - Linux RHCE >> >> Victoria University, Wellington, NZ >> >> 0064 4 463 6272 >> >> ________________________________ >> From: [email protected] [[email protected]] >> on behalf of Boris Epstein [[email protected]] >> Sent: Wednesday, 16 November 2011 9:03 a.m. >> To: [email protected] >> Subject: [Freeipa-users] LDAP authentication into FreeIPA >> >> Hello all, >> >> This may be my general LDAP illiteracy - I only dealth with it briefly >> years ago - but I am trying to set up a FreeIPA server on Fedora 16 to have >> my Macs and Ubuntu Linux machines as well as a couple of Windows boxes to >> authenticate to - and seem not to be making much forward progress. Is there >> a step-by-step writeup on how to do that sort of thing? >> >> Thanks for any and all help. >> >> Boris. >> >> _______________________________________________ >> Freeipa-users mailing list >> [email protected] >> https://www.redhat.com/mailman/listinfo/freeipa-users >> > > > _______________________________________________ > Freeipa-users mailing > [email protected]https://www.redhat.com/mailman/listinfo/freeipa-users > > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IPA project, > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs?www.redhat.com/carveoutcosts/ > > > _______________________________________________ > Freeipa-users mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/freeipa-users >
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
