On Wed, Feb 19, 2014 at 2:02 PM, Petr Spacek <[email protected]> wrote: > On 19.2.2014 19:44, Simo Sorce wrote: >> >> On Wed, 2014-02-19 at 20:34 +0200, Alexander Bokovoy wrote: >>> >>> On Wed, 19 Feb 2014, Mauricio Tavares wrote: >>>> >>>> When I added a windows 7 client (let's call it >>>> windows.lan.domain.com), I had to go manually enter the domain (in >>>> System Properties->Computer Name/Domain Changes->DNS Suffix and >>>> netbios computer name) even though ipconfig would report it properly. >>>> Otherwise, it would show in the kdc log file as [email protected] >>>> instead of [email protected]. Does anyone know why? I >>>> know the realm and the domain names are not quite the same (domain has >>>> a "lan" in it), but should that matter? >>> >>> Windows uses NetBIOS name$ as the machine name in TGT requests for the >>> host. >>> >>> At this point we don't have means to correct this via IPA CLI. You need >>> to use ldapmodify directly and add >>> >>> krbprincipalname: windows$DOMAIN.COM >>> krbcanonicalname: HOST/[email protected] >> >> >> Note that 'host' here should be lower case. > > > ... And please note that > http://www.freeipa.org/page/Windows_authentication_against_FreeIPA is an > option of last resort. > > Please use real trust between AD and IPA whenever possible: > http://www.freeipa.org/page/Trusts > Would not having an AD server be eligible for the option of last resort?
> Have a nice day! > > Petr^2 Spacek > > >>> to the host entry. >>> >>> KrbPrincipalName can have multiple values and if there are more than >>> one, KrbCanonicalName should be set to the canonical version which is >>> the original KrbPrincipalName in IPA. >>> >>> >>>> On an unrelated note, in >>>> http://www.freeipa.org/page/Windows_authentication_against_FreeIPA it >>>> should be >>>> >>>> ksetup /addkpasswd >>>> >>>> not >>>> >>>> ksetup /addkpassword >>> >>> Corrected, thanks! > > > _______________________________________________ > Freeipa-users mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
