In our evironment we have very limited amount of shared virtual Windows
7 machines. We haven't really seen any value in setting up an AD domain
for them, but have been relying on pure Kerberos authentication using
the ksetup procedure
(http://www.freeipa.org/page/Windows_authentication_against_FreeIPA).

Recently the LDAP in our FreeIPA 3.0 was updated with the task to add
SIDs to all old user accounts (the newer ones would already have a SID),
but that made the Kerberos logon stop working for remote desktop
connections. Logging on to the console using the same Kerberos
credentials would still work... This seems to be directly related to the
addition of SIDs in LDAP, as removing the object class ipantuserattrs
and the SID would get it back in order again.

Are there any known tricks that could be applied to the Windows machines
(or to FreeIPA for that matter) that would make this work again?



Best regards
Nicklas Björk

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to