If you use the MSLSA credential cache MIT kerberos works. kinit -c MSLSA: user@REALM
Not sure about the MIT ticket manager. Am 11.11.2015 um 01:54 schrieb Loris Santamaria <[email protected]>: > > > El mar, 10-11-2015 a las 16:15 -0700, Randolph Morgan escribió: >> Yes they are in the same DNS domain as the IPAserver. I am able to >> resolve the server address. Which side would you like more >> information >> on the server side or the client side. We are not running any AD >> domains, so this is not a Windows based system. We are running >> FreeIPA >> 4.2+ on RHEL 7.1 using the stock Samba from RHEL. On the client side >> I >> am running Windows 10 and I have installed MIT Kerberos version >> 4.01. >> In the MIT ticket manager I show a tgt and it works as it >> should. But >> from the command prompt in windows if I do a klist it reports: >> Current >> LogonId is 0:0x6320a >> >> Cached >> Tickets: (0) >> >> So even though MIT Kerberos shows a successful negotiation with IPA >> and >> a ticket is received, windows reports back the above when a klist is >> run. > > I think that is the problem, you shouldn't use MIT kerberos. > > The commands listed on the howto: > > 1. ksetup /setdomain [REALM NAME] > 2. ksetup /addkdc [REALM NAME] [kdc DNS name] > 3. ksetup /addkpasswd [REALM NAME] [kdc DNS name] > 4. ksetup /setcomputerpassword [MACHINE_PASSWORD] (the one used above) > 5. ksetup /mapuser * * > > are meant to be run with windows native ksetup command. The native > windows kerberos libraries cannot see tickets obtained with MT > kerberos. > > Best regards > > >> What I am trying to do is get the two to talk to each other, but I >> have not had any success as of yet. I have edited the krb5.ini with >> the >> correct information, and rebooted the machine multiple times with no >> change. Any help here would be really appreciated, we are taking >> this >> system live over the weekend and would really love to have this part >> fixed. >> >> Randy >> >> Randy Morgan >> CSR >> Department of Chemistry and Biochemistry >> Brigham Young University >> 801-422-4100 >> >> On 11/10/2015 3:50 PM, Loris Santamaria wrote: >>> El mar, 10-11-2015 a las 11:51 -0700, Randolph Morgan escribió: >>>> Ok, that makes sense, but could we not just create the host in >>>> the >>>> IPA >>>> UI as part of the DNS? >>> That isn't enough, the dns object just maps to an ip address, you >>> have >>> to create a "host" object with ipa host-add, that object is needed >>> to >>> store kerberos principal and password for the host. >>> >>>> Also we seem to be having some difficulty with >>>> another part of the process, that is getting the Windows machines >>>> to >>>> even acknowledge that they have the ability to talk with the kdc. >>>> Following the commands yields only that the windows machine is >>>> unable >>>> to >>>> locate the kdc, are we missing something? Is this one of the >>>> issues >>>> related to different versions of Kerberos, e.g. MIT vs Heimdal. >>> You should check for dns inconsistencies first, are the windows >>> machines in the same dns domain as windows? Can they solve the >>> addresses of the ipa servers? If that doesn't help you should post >>> more >>> details of your setup... >>> >>> Best regards >>> >>> >>>> On 11/10/2015 11:32 AM, Loris Santamaria wrote: >>>>> El mar, 10-11-2015 a las 11:18 -0700, Randolph Morgan escribió: >>>>>> I am certain that everyone gets tired of answering the same >>>>>> questions >>>>>> over and over, so maybe an update to the documentation would >>>>>> be >>>>>> better. >>>>>> I am trying to get my Windows machines to authenticate >>>>>> against a >>>>>> FreeIPA >>>>>> server running IPA 4.2+ on RHEL 7. I have followed the >>>>>> documentation >>>>>> listed on >>>>>> https://www.freeipa.org/page/Windows_authentication_against_F >>>>>> reeI >>>>>> PA, >>>>>> but >>>>>> there seems to be a few steps missing. >>>>>> >>>>>> In the Configure FreeIPA you are told to create a keytab for >>>>>> the >>>>>> Windows >>>>>> machine in question. After creating the keytab, what do you >>>>>> do >>>>>> with >>>>>> it? It jumps from creating the keytab to configuring Windows >>>>>> but >>>>>> does >>>>>> not say what to do with the keytab and the instructions never >>>>>> reference >>>>>> it again. Would someone please clarify this and is this >>>>>> something we >>>>>> would need to do for each and every Windows machine on our >>>>>> network? >>>>> Note that the ipa-getkeytab command is called with the -P >>>>> option, >>>>> so it >>>>> asks for a password: that password is used as a password for >>>>> the >>>>> machine principal and is stored in the directory. >>>>> >>>>> So no, the keytab is not really used anywhere else and can be >>>>> deleted. >>>>> It is the act of generating (with a known password) it that >>>>> needs >>>>> to be >>>>> done for every windows machine in the network. Please use >>>>> strong, >>>>> random and different passwords for each windows machine in the >>>>> network. >>>>> >>>>> >> > -- > Loris Santamaria linux user #70506 xmpp:[email protected] > Links Global Services, C.A. http://www.lgs.com.ve > Tel: 0286 952.06.87 Cel: 0414 095.00.10 sip:[email protected] > ------------------------------------------------------------ > "If I'd asked my customers what they wanted, they'd have said > a faster horse" - Henry Ford > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
