On 19.2.2014 20:10, Mauricio Tavares wrote:
On Wed, Feb 19, 2014 at 2:02 PM, Petr Spacek <pspa...@redhat.com> wrote:
On 19.2.2014 19:44, Simo Sorce wrote:

On Wed, 2014-02-19 at 20:34 +0200, Alexander Bokovoy wrote:

On Wed, 19 Feb 2014, Mauricio Tavares wrote:

       When I added a windows 7 client (let's call it
windows.lan.domain.com), I had to go manually enter the domain (in
System Properties->Computer Name/Domain Changes->DNS Suffix and
netbios computer name) even though ipconfig would report it properly.
Otherwise, it would show in the kdc log file as windows$@DOMAIN.COM
instead of windows.lan.domain....@domain.com. Does anyone know why? I
know the realm and the domain names are not quite the same (domain has
a "lan" in it), but should that matter?

Windows uses NetBIOS name$ as the machine name in TGT requests for the

At this point we don't have means to correct this via IPA CLI. You need
to use ldapmodify directly and add

      krbprincipalname: windows$DOMAIN.COM
      krbcanonicalname: HOST/windows.lan.domain....@domain.com

Note that 'host' here should be lower case.

... And please note that
http://www.freeipa.org/page/Windows_authentication_against_FreeIPA is an
option of last resort.

Please use real trust between AD and IPA whenever possible:

       Would not having an AD server be eligible for the option of last resort?

Sure, when Samba 4 has an ability to create trust with IPA :-)

Seriously, if you have non-trivial network with Windows clients you really need something for managing them - most likely AD or Samba 4. Unfortunately, Samba 4 is not able to create trust with IPA right now.

Petr^2 Spacek

to the host entry.

KrbPrincipalName can have multiple values and if there are more than
one, KrbCanonicalName should be set to the canonical version which is
the original KrbPrincipalName in IPA.

       On an unrelated note, in
http://www.freeipa.org/page/Windows_authentication_against_FreeIPA it
should be

ksetup /addkpasswd


ksetup /addkpassword

Corrected, thanks!

Petr^2 Spacek

Freeipa-users mailing list

Reply via email to