On Wed, Nov 13, 2013 at 08:19:18PM +0100, Nicklas Björk wrote:
> On 2013-11-13 20:00, Simo Sorce wrote:
> > On Tue, 2013-11-12 at 21:50 +0100, Nicklas Björk wrote:
> >> On 2013-11-12 21:39, Simo Sorce wrote:
> >>> On Tue, 2013-11-12 at 21:11 +0100, Nicklas Björk wrote:
> >>>> In our evironment we have very limited amount of shared virtual Windows
> >>>> 7 machines. We haven't really seen any value in setting up an AD domain
> >>>> for them, but have been relying on pure Kerberos authentication using
> >>>> the ksetup procedure
> >>>> (http://www.freeipa.org/page/Windows_authentication_against_FreeIPA).
> >>>>
> >>>> Recently the LDAP in our FreeIPA 3.0 was updated with the task to add
> >>>> SIDs to all old user accounts (the newer ones would already have a SID),
> >>>> but that made the Kerberos logon stop working for remote desktop
> >>>> connections. Logging on to the console using the same Kerberos
> >>>> credentials would still work... This seems to be directly related to the
> >>>> addition of SIDs in LDAP, as removing the object class ipantuserattrs
> >>>> and the SID would get it back in order again.
> >>>>
> >>>> Are there any known tricks that could be applied to the Windows machines
> >>>> (or to FreeIPA for that matter) that would make this work again?
> >>>
> >>> It's odd that adding the SIDs make it not work, I remember reports of
> >>> people being happy to see it work better.
> >>>
> >>> We do have a way to disable setting the MS-PAC on tickets, but I fear it
> >>> is only for TGS requests and not for the TGT.
> >>>
> >>> Have you added SIDs because you are using a trust relationship with an
> >>> AD domain, and you just wish not to use them for these few Windows
> >>> machines ?
> >>>
> >>> Simo.
> >>>
> >>
> >> Rather than the SIDs, it was the NT-hash I was looking for, to be used
> >> in a Radius implementation. The task in LDAP to make the update also
> >> added SIDs to all user accounts.
> >>
> >> The mentioned few Windows machines are the only ones here and there is
> >> also no AD available. At an earlier stage I may have tried making a
> >> trust using the ipa-adtrust-install against a test-AD that was available
> >> for some time, but it's long gone and there are currently no configured
> >> trusts.
> > 
> > I see, but the SID is required by the objectclass that allows you to set
> > the NThash. One way to resolve that would be to use a different
> > objectclass so you do not have to set the SID, but I ma not sure NThash
> > would be automatically refreshed at password change  then.
> > 
> > Can you tell me exactly what error do your Win7 machines return ?
> > 
> > Simo.
> > 
> I have actually spent a few hours today trying to figure out under what
> circumstances it stops working. It seems like authentication with
> Kerberos always works, but for some reason it won't let the user create
> a session when connecting using RDP, when the SID is available in the
> directory (thus also in the kerberos ticket, I would assume?). The local
> user account is in the Administrators as well as the Remote Desktop
> Users groups, but the error message given at logon is "The requested
> session access is denied.".

The PAC (the part oh the Kerberos ticket which contains the SID of the
user, his groupmemberships and other data) will contain the SIDs of the
groups of the user on the IPA side not what is defined locally on the
Windows machine. Maybe it might help if you add the user to a group on
the IPA side which has the 'Domain Admins' SID, i.e.  the IPA Domain SID
+ '-512'. If you have run ipa-adtrust-install the IPA admins group
should already have this SID.



> There must be some way to get more information on what the system is
> doing and what it wants. Perhaps it would be possible to increase the
> amount of debugging information in the event viewer? Maybe it would
> start working again if I flipped the right 0 to a 1 somewhere in the
> deep registry forest...
> Nicklas
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

Freeipa-users mailing list

Reply via email to