Thanks Rob. Looking at that log file, it confirmed that it wasn't connecting to host successfully. After I set up a tunnel to the kdc it works like a charm.
Much appreciated, --Scott -----Original Message----- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Monday, July 06, 2015 10:58 AM To: Haiden, Scott B.; freeipa-users@redhat.com Subject: Re: [Freeipa-users] Trouble getting a windows computer to get a TGT from a linux FreeIPA server Haiden, Scott B. wrote: > Hello, > > I have a KDC set up on a Linux virtual host, known as ldap.abc, which > has a > > FreeIPA server running on it. I am trying to get a TGT from it, from > my > > Windows 7 Enterprise machine. I am able to easily interact with it > from other > > Linux hosts, but I am not having any luck from the windows one. > > I have installed MIT Kerberos Tools for windows on the windows > computer. I > > also copied over the /etc/krb5.conf file from a Linux host that is > able to > > contact it. It contains the following: > > [libdefaults] > > default_realm = ABC > > dns_lookup_realm = false > > dns_lookup_kdc = false > > rdns = false > > ticket_lifetime = 24h > > forwardable = yes > > [realms] > > PCS = { > > kdc = ldap.abc:88 > > master_kdc = ldap.abc:88 > > admin_server = ldap.abc:749 > > default_domain = abc > > pkinit_anchors = FILE:H:\Kerberos\ca.crt > > } > > [domain_realm] > > .abc = ABC > > abc = ABC > > (Note that in the real file, I don't use "ABC" as the realm or domain > but the > > real value is something else). > > I also copied over the ca.crt file and saved it to my windows machine, > and > > pointed the config file to it. > > If I set the KRB5_CONFIG environment variable in a command prompt and > run > > `kinit username@ABC` (replacing username and ABC with my real username > and > > The real realm, obviously) I get only this inscrutable and > undescriptive > error: > > kinit: Invalid argument while getting initial credentials > > I am wondering if it's a resolution issue brought on by proxying or > something > > related: To get to ldap.abc, I have to go through a proxy. Web > browsers are > > able to successfully navigate to it at https://ldap.abc but nslookup > ldap.abc > > fails. > > Is this something that's even possible to do? Any pointers on where I > should go > > To look for documentation would be appreciated. It's been forever, probably 6 years, since I looked at MIT Kerberos on Windows, but I believe the client has some sort of auto-conifigure option where it will fetch the configuration from a server. The IPA server should be configured to provide this configuration (there were 3 files IIRC). You could try re-configuring using that. Alternatively I'd start with /var/log/krb5kdc.log to see if it is getting to the KDC at all. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project