Nope, I kept forgetting to re-post it. Here are the steps I used: On FreeIPA:
i. create the host principal in the web interface ii. create IPA users to correspond to windows users iii. reset the user's IPA password to a known password using the web interface, the user will be prompted to change at first log in. (is there a default password or is this random? sorry if that's somewhere else in docs and I missed it) iv. on the IPA server run `ipa-getkeytab -s [kdc DNS name] -p host/[machine-name] -e arcfour-hmac -k krb5.keytab.[machine-name] -P configure windows ksetup: i. ksetup /setdomain [REALM NAME] ii. ksetup /addkdc [REALM NAME] [kdc DNS name] iii. ksetup /addkpassword [REALM NAME] [kdc DNS name] iv. ksetup /setcomputerpassword [PASSWORD] v. ksetup /mapuser * * vi. Run gpedit.msc. Under >Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options open the key called “Network Security: Configure encryption types allowed for Kerberos” unselect everything except RC4_HMAC_MD5 vii. *** REBOOT *** viii. log in as [user]@[REALM] with the initial password, you will be prompted to change the password then logged in. On Fri, Feb 24, 2012 at 8:33 AM, Nigel Sollars <nsoll...@gmail.com> wrote: > Hello, > > Ive been away for a little while, did I miss any posting of this > information?. > > Thanks > Nigel Sollars > > > On Thu, Feb 9, 2012 at 9:51 AM, Jimmy <g17ji...@gmail.com> wrote: > >> Yes, I'll find that and post it. I've been traveling for work the past >> few weeks and haven't had it with me. >> >> >> On Thu, Feb 9, 2012 at 8:25 AM, Nigel Sollars <nsoll...@gmail.com> wrote: >> >>> Hi, >>> >>> Could you point me to the document please :). >>> >>> Thanks in advance. >>> >>> >>> On Mon, Feb 6, 2012 at 1:34 PM, Jimmy <g17ji...@gmail.com> wrote: >>> >>>> I am not making the windows systems part of an AD. I only need to >>>> replicate users from an AD group to FreeIPA and I've had issues making that >>>> work. I was working on that with a couple guys here on the list a couple >>>> weeks ago but have been traveling so it's been hard to make time to work on >>>> that. >>>> >>>> I submitted the doc to configure Win7 a while back but will look for it >>>> and re-submit. >>>> >>>> Jimmy >>>> >>>> On Mon, Feb 6, 2012 at 12:24 PM, Dmitri Pal <d...@redhat.com> wrote: >>>> >>>>> ** >>>>> On 02/06/2012 11:31 AM, Jimmy wrote: >>>>> >>>>> I don't think you have to put it anywhere, the ipa.getkeytab mainly >>>>> sets the workstation password in freeipa. I keep the client keytabs in >>>>> /etc >>>>> (krb5.keytab.[clientname].) >>>>> >>>>> I have many Win7 and WinXP workstations authenticating but I'm still >>>>> working on getting user/password sync working. >>>>> >>>>> Jimmy >>>>> >>>>> >>>>> Jimmy, >>>>> >>>>> Are you using Windows systems directly with IPA or you make them a >>>>> part of the AD domain and use winsync to sync data from AD to IPA? >>>>> If you managed to setup Win7 directly with IPA please share how you >>>>> have done this. >>>>> >>>>> Thanks >>>>> Dmitri >>>>> >>>>> >>>>> >>>>> On Mon, Feb 6, 2012 at 10:39 AM, Nigel Sollars <nsoll...@gmail.com>wrote: >>>>> >>>>>> Hi all, >>>>>> >>>>>> Quick question, >>>>>> >>>>>> I want to setup a Windows system to use my realm, ive followed the >>>>>> prep list and created a simple arcfour-hmac krb5.keytab. The guide does >>>>>> not mention where I place this keytab. I thought I would check before >>>>>> running any of the ksetup commands. >>>>>> >>>>>> Also just for reference has anyone gotten Windows 7 / server 2008 >>>>>> authenticated? ( I guess that should also include server 2003 ). >>>>>> >>>>>> Thanks in advance >>>>>> >>>>>> Nigel Sollars >>>>>> >>>>>> >>>>>> -- >>>>>> “Science is a differential equation. Religion is a boundary >>>>>> condition.” >>>>>> >>>>>> Alan Turing >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> Freeipa-users mailing list >>>>>> Freeipa-users@redhat.com >>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> Freeipa-users mailing >>>>> listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users >>>>> >>>>> >>>>> >>>>> -- >>>>> Thank you, >>>>> Dmitri Pal >>>>> >>>>> Sr. Engineering Manager IPA project, >>>>> Red Hat Inc. >>>>> >>>>> >>>>> ------------------------------- >>>>> Looking to carve out IT costs?www.redhat.com/carveoutcosts/ >>>>> >>>>> >>>>> _______________________________________________ >>>>> Freeipa-users mailing list >>>>> Freeipa-users@redhat.com >>>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>>> >>>> >>>> >>>> _______________________________________________ >>>> Freeipa-users mailing list >>>> Freeipa-users@redhat.com >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> >>> >>> >>> >>> -- >>> “Science is a differential equation. Religion is a boundary condition.” >>> >>> Alan Turing >>> >>> >>> _______________________________________________ >>> Freeipa-users mailing list >>> Freeipa-users@redhat.com >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> >> >> > > > -- > “Science is a differential equation. Religion is a boundary condition.” > > Alan Turing > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users >
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users