[Freeipa-devel] Re: Update documentation of "Windows authentication against FreeIPA"

Fri, 16 Dec 2022 21:23:32 -0800 

On la, 17 joulu 2022, Alejo Diaz via FreeIPA-devel wrote:

Currently, if I follow the steps I can't get working Windows 10 or 11
(both 22H2) with FreeIPA v4.10.1.


FreeIPA team does not support enrolling Windows systems into FreeIPA.

I assume you are referring to 
https://www.freeipa.org/page/Windows_authentication_against_FreeIPA

This is not supported and any problems reported aren't going to be
solved. Since Samba AD is a fairly good AD replacement, our
recommendation is to enroll Windows systems to Samba AD and then
establish trust between Samba AD and FreeIPA.



Please, update/add this steps:

1. The algorithm "arcfour-hmac" isn't necessary in this versions (I
don't know in others versions). Just skip the "-e" option or specify
with "-e aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96".

2. Enforce use of TCP when use Kerberos in Windows running the follows
commands after the step 5 of "Configure Windows (ksetup)" section. This
steps helps when you logged via VPN or when the packet size is > 1500
(MTU limited!).

    ```
    reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters" /v 
"MaxPacketSize" /t REG_DWORD /d 1 /f
    ksetup /setrealmflags [REALM_NAME] tcpsupported
    ```


FYI, for about a decade FreeIPA default krb5.conf configuration forces
use of TCP:

[libdefaults]
  udp_preference_limit = 0



3. Ensure the `permitted_enctypes` in `/etc/krb5.conf` configuration on
FreeIPA servers (and replicas). Next, delete
`/etc/krb5.conf.d/crypto-policies` (I don't test if updating this file
from a tool works). This ensure that every ticket sended from FreeIPA
kdc always use the `permitted_enctypes` algorithms.


This is not needed at all. Please follow the documentation:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/integrating_rhel_systems_directly_with_windows_active_directory/connecting-rhel-systems-directly-to-ad-using-sssd_integrating-rhel-systems-directly-with-active-directory#ensuring-support-for-common-encryption-types-in-ad-and-rhel_connecting-rhel-systems-directly-to-ad-using-sssd

In essence, in RHEL 8:

# update-crypto-policies --set DEFAULT:AD-SUPPORT

and in RHEL 9:

# update-crypto-policies --set DEFAULT:AD-SUPPORT-LEGACY


4. The step 8 from "Configure Windows (ksetup)" section isn't necessary. 
Windows creates the user automatically.

5. If you don't want type <user>@<domain> for every uncached user, run the followed 
command to hard-coded domain in logon (add after step 5 of "Configure Windows (ksetup)" 
section?):

   ```
   reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v 
"DefaultLogonDomain /t REG_SZ /d "[REALM_NAME]" /f
   ```

6. The step 1 of "Configure Windows (ksetup)" section changes from "/setdomain" to 
"/setrealm". Actually, both works but I don't know if in the future this command changes.



--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue






















					Reply via email to