On Tue, 2011-11-15 at 20:44 -0500, Jimmy wrote: > I did supply this to the list at the middle of September, but will > re-send. I know things get lost in the flow of emails/lists. > > ==============IPA and ksetup steps================= > I can't find the technet article right now, but here's what I did > that makes Win7(and xp, but xp doesn't need the gpedit step) work. > > > One note about this, I kept getting strange errors with any encryption > besides rc4-hmac. For my situation I think it is suitable(a static > environment once the systems are deployed,) but if others want to > spend more time hacking on the system MS messed up, go for it ;). > > On FreeIPA: > > i. create the host principal in the web interface > ii. create IPA users to correspond to windows users > iii. reset the user's IPA password to a known password using the web > interface, the user will be prompted to change at first log in. > (is there a default password or is this random? sorry if that's > somewhere else in docs and I missed it) > iv. on the IPA server run `ipa-getkeytab -s [kdc DNS name] > -p host/[machine-name] -e arcfour-hmac -k krb5.keytab.[machine-name] > -P` (enter the password that will be used in the > `ksetup /secomputerpassword` below) > > configure windows ksetup: > > i. ksetup /setdomain [REALM NAME] > ii. ksetup /addkdc [REALM NAME] [kdc DNS name] > iii. ksetup /addkpassword [REALM NAME] [kdc DNS name] > iv. ksetup /setcomputerpassword [PASSWORD] > v. ksetup /mapuser * * > vi. Run gpedit.msc. Under >Computer Configuration\Windows Settings > \Security Settings\Local Policies\Security Options open the key called > “Network Security: Configure encryption types allowed for Kerberos” > unselect everything except RC4_HMAC_MD5
Hi Jimmy and all, at this year Kerberos Conference interop we found out what was causing issues with AES and we have a patch in the master tree. This step will hopefully not be necessary anymore quite soon. Simo. > vii. *** REBOOT *** > viii. log in as [user]@[REALM] with the initial password, you will be > prompted to change the password then logged in. > -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users