El mar, 10-11-2015 a las 16:15 -0700, Randolph Morgan escribió: > Yes they are in the same DNS domain as the IPAserver. I am able to > resolve the server address. Which side would you like more > information > on the server side or the client side. We are not running any AD > domains, so this is not a Windows based system. We are running > FreeIPA > 4.2+ on RHEL 7.1 using the stock Samba from RHEL. On the client side > I > am running Windows 10 and I have installed MIT Kerberos version > 4.01. > In the MIT ticket manager I show a tgt and it works as it > should. But > from the command prompt in windows if I do a klist it reports: > Current > LogonId is 0:0x6320a > > Cached > Tickets: (0) > > So even though MIT Kerberos shows a successful negotiation with IPA > and > a ticket is received, windows reports back the above when a klist is > run.
I think that is the problem, you shouldn't use MIT kerberos. The commands listed on the howto: 1. ksetup /setdomain [REALM NAME] 2. ksetup /addkdc [REALM NAME] [kdc DNS name] 3. ksetup /addkpasswd [REALM NAME] [kdc DNS name] 4. ksetup /setcomputerpassword [MACHINE_PASSWORD] (the one used above) 5. ksetup /mapuser * * are meant to be run with windows native ksetup command. The native windows kerberos libraries cannot see tickets obtained with MT kerberos. Best regards > What I am trying to do is get the two to talk to each other, but I > have not had any success as of yet. I have edited the krb5.ini with > the > correct information, and rebooted the machine multiple times with no > change. Any help here would be really appreciated, we are taking > this > system live over the weekend and would really love to have this part > fixed. > > Randy > > Randy Morgan > CSR > Department of Chemistry and Biochemistry > Brigham Young University > 801-422-4100 > > On 11/10/2015 3:50 PM, Loris Santamaria wrote: > > El mar, 10-11-2015 a las 11:51 -0700, Randolph Morgan escribió: > > > Ok, that makes sense, but could we not just create the host in > > > the > > > IPA > > > UI as part of the DNS? > > That isn't enough, the dns object just maps to an ip address, you > > have > > to create a "host" object with ipa host-add, that object is needed > > to > > store kerberos principal and password for the host. > > > > > Also we seem to be having some difficulty with > > > another part of the process, that is getting the Windows machines > > > to > > > even acknowledge that they have the ability to talk with the kdc. > > > Following the commands yields only that the windows machine is > > > unable > > > to > > > locate the kdc, are we missing something? Is this one of the > > > issues > > > related to different versions of Kerberos, e.g. MIT vs Heimdal. > > You should check for dns inconsistencies first, are the windows > > machines in the same dns domain as windows? Can they solve the > > addresses of the ipa servers? If that doesn't help you should post > > more > > details of your setup... > > > > Best regards > > > > > > > On 11/10/2015 11:32 AM, Loris Santamaria wrote: > > > > El mar, 10-11-2015 a las 11:18 -0700, Randolph Morgan escribió: > > > > > I am certain that everyone gets tired of answering the same > > > > > questions > > > > > over and over, so maybe an update to the documentation would > > > > > be > > > > > better. > > > > > I am trying to get my Windows machines to authenticate > > > > > against a > > > > > FreeIPA > > > > > server running IPA 4.2+ on RHEL 7. I have followed the > > > > > documentation > > > > > listed on > > > > > https://www.freeipa.org/page/Windows_authentication_against_F > > > > > reeI > > > > > PA, > > > > > but > > > > > there seems to be a few steps missing. > > > > > > > > > > In the Configure FreeIPA you are told to create a keytab for > > > > > the > > > > > Windows > > > > > machine in question. After creating the keytab, what do you > > > > > do > > > > > with > > > > > it? It jumps from creating the keytab to configuring Windows > > > > > but > > > > > does > > > > > not say what to do with the keytab and the instructions never > > > > > reference > > > > > it again. Would someone please clarify this and is this > > > > > something we > > > > > would need to do for each and every Windows machine on our > > > > > network? > > > > Note that the ipa-getkeytab command is called with the -P > > > > option, > > > > so it > > > > asks for a password: that password is used as a password for > > > > the > > > > machine principal and is stored in the directory. > > > > > > > > So no, the keytab is not really used anywhere else and can be > > > > deleted. > > > > It is the act of generating (with a known password) it that > > > > needs > > > > to be > > > > done for every windows machine in the network. Please use > > > > strong, > > > > random and different passwords for each windows machine in the > > > > network. > > > > > > > > > -- Loris Santamaria linux user #70506 xmpp:lo...@lgs.com.ve Links Global Services, C.A. http://www.lgs.com.ve Tel: 0286 952.06.87 Cel: 0414 095.00.10 sip:1...@lgs.com.ve ------------------------------------------------------------ "If I'd asked my customers what they wanted, they'd have said a faster horse" - Henry Ford
Description: S/MIME cryptographic signature
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project