I can't find the technet article right now, but here's what I did that
makes Win7 work.  Run gpedit.msc. Under >Computer
Configuration\Windows Settings\Security Settings\Local
Policies\Security Options open the key called “Network Security:
Configure encryption types allowed for Kerberos” unselect everything
except RC4_HMAC_MD5 and reboot.  Step by step instructions below. AES
worked at first for me but that was only for the IPA user `admin` and
even that broke after I changed the `admin` password using the windows
change password dialog. I will be submitting that tracefile and log to
MS to see what might be happening.

On FreeIPA:

i.    create the host principal in the web interface
ii.   create IPA users to correspond to windows users
iii.  reset the user's IPA password to a known password using the web
interface, the user will be prompted to change at first log in. (is
there a default password or is this random? sorry if that's somewhere
else in docs and I missed it)
iv.    on the IPA server run `ipa-getkeytab -s [kdc DNS name] -p
host/[machine-name] -e  arcfour-hmac -k krb5.keytab.[machine-name] -P

configure windows ksetup:

i.    ksetup /setdomain [REALM NAME]
ii.    ksetup /addkdc [REALM NAME] [kdc DNS name]
iii.    ksetup /addkpassword [REALM NAME] [kdc DNS name]
iv.    ksetup /setcomputerpassword [PASSWORD]
v.    ksetup /mapuser * *
vi.   Run gpedit.msc. Under >Computer Configuration\Windows
Settings\Security Settings\Local Policies\Security Options open the
key called “Network Security: Configure encryption types allowed for
Kerberos” unselect everything except RC4_HMAC_MD5
vii.    *** REBOOT ***
viii. log in as [user]@[REALM] with the initial password, you will be
prompted to change the password then logged in.

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to