Re: [Freeipa-users] Windows client authentication with OTP not supported
On pe, 12 touko 2017, Felix Chu wrote: Thanks your info. So it means we cannot use FreeIPA server if we require MFA under Windows 2012? Because our environment is under PCI-DSS cert, PCI-DSS 3.2 has new requirement forcing MFA on non-console access to servers. That's why we look for FreeIPA. We do not even support the mode you are operating in -- we do not support using Windows machines as clients to FreeIPA, as clearly stated on the wiki page you have used to configure. OTP in Kerberos supportability in Windows is not related to FreeIPA. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Windows client authentication with OTP not supported
Thanks your info. So it means we cannot use FreeIPA server if we require MFA under Windows 2012? Because our environment is under PCI-DSS cert, PCI-DSS 3.2 has new requirement forcing MFA on non-console access to servers. That's why we look for FreeIPA. -Original Message- From: Alexander Bokovoy [mailto:aboko...@redhat.com] Sent: Thursday, May 11, 2017 3:43 PM To: Felix Chu Cc: 'freeipa-users@redhat.com' Subject: Re: [Freeipa-users] Windows client authentication with OTP not supported On to, 11 touko 2017, Felix Chu wrote: >Hi , I would like to implement SSO for my Linux+Windows2012 machines >with MFA. > >I have installed FreeIPA, it works well for my Linux client >authentication with OTP enabled. However, for Windows client, I can >only make it works with FreeIPA without OTP. > >The Windows machines are 2012 R2 without AD(workgroup only). When I >login Windows using FreeIPA user accounts enabled with OTP, it shows >"An unsupported preauthentication mechanism was presented to the >Kerberos package", is that not supported ? or something I configured >wrong? Windows does not support OTP in Kerberos the same way how MIT Kerberos does implement it. -- / Alexander Bokovoy [http://www.bbpos.com/images/marketing/signature_banner.jpg]<http://bbpos.com> -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Windows client authentication with OTP not supported
On to, 11 touko 2017, Felix Chu wrote: Hi , I would like to implement SSO for my Linux+Windows2012 machines with MFA. I have installed FreeIPA, it works well for my Linux client authentication with OTP enabled. However, for Windows client, I can only make it works with FreeIPA without OTP. The Windows machines are 2012 R2 without AD(workgroup only). When I login Windows using FreeIPA user accounts enabled with OTP, it shows "An unsupported preauthentication mechanism was presented to the Kerberos package", is that not supported ? or something I configured wrong? Windows does not support OTP in Kerberos the same way how MIT Kerberos does implement it. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Windows client
On Wed, 19 Feb 2014, Mauricio Tavares wrote: When I added a windows 7 client (let's call it windows.lan.domain.com), I had to go manually enter the domain (in System Properties-Computer Name/Domain Changes-DNS Suffix and netbios computer name) even though ipconfig would report it properly. Otherwise, it would show in the kdc log file as windows$@DOMAIN.COM instead of windows.lan.domain@domain.com. Does anyone know why? I know the realm and the domain names are not quite the same (domain has a lan in it), but should that matter? Windows uses NetBIOS name$ as the machine name in TGT requests for the host. At this point we don't have means to correct this via IPA CLI. You need to use ldapmodify directly and add krbprincipalname: windows$DOMAIN.COM krbcanonicalname: HOST/windows.lan.domain@domain.com to the host entry. KrbPrincipalName can have multiple values and if there are more than one, KrbCanonicalName should be set to the canonical version which is the original KrbPrincipalName in IPA. On an unrelated note, in http://www.freeipa.org/page/Windows_authentication_against_FreeIPA it should be ksetup /addkpasswd not ksetup /addkpassword Corrected, thanks! -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Windows client
On Wed, 2014-02-19 at 20:34 +0200, Alexander Bokovoy wrote: On Wed, 19 Feb 2014, Mauricio Tavares wrote: When I added a windows 7 client (let's call it windows.lan.domain.com), I had to go manually enter the domain (in System Properties-Computer Name/Domain Changes-DNS Suffix and netbios computer name) even though ipconfig would report it properly. Otherwise, it would show in the kdc log file as windows$@DOMAIN.COM instead of windows.lan.domain@domain.com. Does anyone know why? I know the realm and the domain names are not quite the same (domain has a lan in it), but should that matter? Windows uses NetBIOS name$ as the machine name in TGT requests for the host. At this point we don't have means to correct this via IPA CLI. You need to use ldapmodify directly and add krbprincipalname: windows$DOMAIN.COM krbcanonicalname: HOST/windows.lan.domain@domain.com Note that 'host' here should be lower case. Simo. to the host entry. KrbPrincipalName can have multiple values and if there are more than one, KrbCanonicalName should be set to the canonical version which is the original KrbPrincipalName in IPA. On an unrelated note, in http://www.freeipa.org/page/Windows_authentication_against_FreeIPA it should be ksetup /addkpasswd not ksetup /addkpassword Corrected, thanks! -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Windows client
On 19.2.2014 19:44, Simo Sorce wrote: On Wed, 2014-02-19 at 20:34 +0200, Alexander Bokovoy wrote: On Wed, 19 Feb 2014, Mauricio Tavares wrote: When I added a windows 7 client (let's call it windows.lan.domain.com), I had to go manually enter the domain (in System Properties-Computer Name/Domain Changes-DNS Suffix and netbios computer name) even though ipconfig would report it properly. Otherwise, it would show in the kdc log file as windows$@DOMAIN.COM instead of windows.lan.domain@domain.com. Does anyone know why? I know the realm and the domain names are not quite the same (domain has a lan in it), but should that matter? Windows uses NetBIOS name$ as the machine name in TGT requests for the host. At this point we don't have means to correct this via IPA CLI. You need to use ldapmodify directly and add krbprincipalname: windows$DOMAIN.COM krbcanonicalname: HOST/windows.lan.domain@domain.com Note that 'host' here should be lower case. ... And please note that http://www.freeipa.org/page/Windows_authentication_against_FreeIPA is an option of last resort. Please use real trust between AD and IPA whenever possible: http://www.freeipa.org/page/Trusts Have a nice day! Petr^2 Spacek to the host entry. KrbPrincipalName can have multiple values and if there are more than one, KrbCanonicalName should be set to the canonical version which is the original KrbPrincipalName in IPA. On an unrelated note, in http://www.freeipa.org/page/Windows_authentication_against_FreeIPA it should be ksetup /addkpasswd not ksetup /addkpassword Corrected, thanks! ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Windows client
On Wed, Feb 19, 2014 at 2:02 PM, Petr Spacek pspa...@redhat.com wrote: On 19.2.2014 19:44, Simo Sorce wrote: On Wed, 2014-02-19 at 20:34 +0200, Alexander Bokovoy wrote: On Wed, 19 Feb 2014, Mauricio Tavares wrote: When I added a windows 7 client (let's call it windows.lan.domain.com), I had to go manually enter the domain (in System Properties-Computer Name/Domain Changes-DNS Suffix and netbios computer name) even though ipconfig would report it properly. Otherwise, it would show in the kdc log file as windows$@DOMAIN.COM instead of windows.lan.domain@domain.com. Does anyone know why? I know the realm and the domain names are not quite the same (domain has a lan in it), but should that matter? Windows uses NetBIOS name$ as the machine name in TGT requests for the host. At this point we don't have means to correct this via IPA CLI. You need to use ldapmodify directly and add krbprincipalname: windows$DOMAIN.COM krbcanonicalname: HOST/windows.lan.domain@domain.com Note that 'host' here should be lower case. ... And please note that http://www.freeipa.org/page/Windows_authentication_against_FreeIPA is an option of last resort. Please use real trust between AD and IPA whenever possible: http://www.freeipa.org/page/Trusts Would not having an AD server be eligible for the option of last resort? Have a nice day! Petr^2 Spacek to the host entry. KrbPrincipalName can have multiple values and if there are more than one, KrbCanonicalName should be set to the canonical version which is the original KrbPrincipalName in IPA. On an unrelated note, in http://www.freeipa.org/page/Windows_authentication_against_FreeIPA it should be ksetup /addkpasswd not ksetup /addkpassword Corrected, thanks! ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Windows client
On 19.2.2014 20:10, Mauricio Tavares wrote: On Wed, Feb 19, 2014 at 2:02 PM, Petr Spacek pspa...@redhat.com wrote: On 19.2.2014 19:44, Simo Sorce wrote: On Wed, 2014-02-19 at 20:34 +0200, Alexander Bokovoy wrote: On Wed, 19 Feb 2014, Mauricio Tavares wrote: When I added a windows 7 client (let's call it windows.lan.domain.com), I had to go manually enter the domain (in System Properties-Computer Name/Domain Changes-DNS Suffix and netbios computer name) even though ipconfig would report it properly. Otherwise, it would show in the kdc log file as windows$@DOMAIN.COM instead of windows.lan.domain@domain.com. Does anyone know why? I know the realm and the domain names are not quite the same (domain has a lan in it), but should that matter? Windows uses NetBIOS name$ as the machine name in TGT requests for the host. At this point we don't have means to correct this via IPA CLI. You need to use ldapmodify directly and add krbprincipalname: windows$DOMAIN.COM krbcanonicalname: HOST/windows.lan.domain@domain.com Note that 'host' here should be lower case. ... And please note that http://www.freeipa.org/page/Windows_authentication_against_FreeIPA is an option of last resort. Please use real trust between AD and IPA whenever possible: http://www.freeipa.org/page/Trusts Would not having an AD server be eligible for the option of last resort? Sure, when Samba 4 has an ability to create trust with IPA :-) Seriously, if you have non-trivial network with Windows clients you really need something for managing them - most likely AD or Samba 4. Unfortunately, Samba 4 is not able to create trust with IPA right now. Petr^2 Spacek to the host entry. KrbPrincipalName can have multiple values and if there are more than one, KrbCanonicalName should be set to the canonical version which is the original KrbPrincipalName in IPA. On an unrelated note, in http://www.freeipa.org/page/Windows_authentication_against_FreeIPA it should be ksetup /addkpasswd not ksetup /addkpassword Corrected, thanks! -- Petr^2 Spacek ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Windows client logon
On Mon, 2011-09-19 at 10:10 -0400, Jimmy wrote: I have verified that the password set for the workstation in the kerberos host principal(using ipa-getkeytab) and the password on the host (using ksetup) are the same. I'm still getting the Decrypt integrity check failed errors. I have also verified that the system clock is accurate on both the KDC and the workstation. What else could be causing this? As I have said, this system authenticates flawlessly against other KDC's I have set up. The thing that is failing is your user password does not check with what the KDC thinks is the user's secret. You are not yet to the stage where the machine password is tried. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Windows client logon
On Mon, 2011-09-19 at 10:58 -0400, Jimmy wrote: I think you're on to something here. I just reset the user's password on IPA and get the password expired message but I get that regardless of what I enter for the user's password. I'm confused as to why I can make the user auth work with a normal KDC but I'm having so much trouble with IPA-KDC. Going to wipe the Win7 config and start fresh on that system. Not sure wht you are having trouble, the KDC component of IPA is a stock MIT KDC with LDAP backend. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Windows client logon
I have a WinXP client configured to authenticate now but it looks like FreeIPA is sending the ticket encrypted with AES and XP does not support AES. The user is getting authenticated, just not able to decrypt the ticket. Sep 19 19:50:36 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ (7 etypes {23 -133 -128 3 1 24 -135}) 192.168.201.150: NEEDED_PREAUTH: o...@pdh.csp for krbtgt/pdh@pdh.csp, Additional pre-authentication required Sep 19 19:50:36 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ (1 etypes {23}) 192.168.201.150: ISSUE: authtime 1316461836, etypes {rep=23 tkt=18 ses=23}, o...@pdh.csp for krbtgt/pdh@pdh.csp Sep 19 19:50:37 csp-idm.pdh.csp krb5kdc[1246](info): TGS_REQ (7 etypes {23 -133 -128 3 1 24 -135}) 192.168.201.150: ISSUE: authtime 1316461836, etypes {rep=23 tkt=18 ses=23}, o...@pdh.csp for host/crm1.pdh@pdh.csp On Mon, Sep 19, 2011 at 1:32 PM, Simo Sorce s...@redhat.com wrote: On Mon, 2011-09-19 at 13:05 -0400, Jimmy wrote: Once I changed the password for 'admin' I now get this error on the windows system: Insufficient system resources exist to complete the requested service and get this in the log no matter if I use the correct(changed) password or if I use a known bad password: Sep 19 17:01:19 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ (7 etypes {18 17 23 3 1 24 -135}) 192.168.201.9: NEEDED_PREAUTH: ad...@pdh.csp for krbtgt/pdh@pdh.csp, Additional pre-authentication required I even deleted the user and all associated profile information on the windows system and still it won't work any more. Ok somehow we generate a key the windows client doesn't like or know how to work with. While MIT's clients are just fine with. The way we generate keys is by setting a special random seed that is handed back to the client when the preauth error is generated, perhaps Windows is not liking what it sees ? Any chance you can try with an older client, I wonder if it is a regression in win7 ? Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Windows client logon
I wonder if changing the defaults to exclude the use of AES would help in your case. Not ideal, but apparently something funny is going on there. Simo. On Mon, 2011-09-19 at 15:53 -0400, Jimmy wrote: I have a WinXP client configured to authenticate now but it looks like FreeIPA is sending the ticket encrypted with AES and XP does not support AES. The user is getting authenticated, just not able to decrypt the ticket. Sep 19 19:50:36 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ (7 etypes {23 -133 -128 3 1 24 -135}) 192.168.201.150: NEEDED_PREAUTH: o...@pdh.csp for krbtgt/pdh@pdh.csp, Additional pre-authentication required Sep 19 19:50:36 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ (1 etypes {23}) 192.168.201.150: ISSUE: authtime 1316461836, etypes {rep=23 tkt=18 ses=23}, o...@pdh.csp for krbtgt/pdh@pdh.csp Sep 19 19:50:37 csp-idm.pdh.csp krb5kdc[1246](info): TGS_REQ (7 etypes {23 -133 -128 3 1 24 -135}) 192.168.201.150: ISSUE: authtime 1316461836, etypes {rep=23 tkt=18 ses=23}, o...@pdh.csp for host/crm1.pdh@pdh.csp On Mon, Sep 19, 2011 at 1:32 PM, Simo Sorce s...@redhat.com wrote: On Mon, 2011-09-19 at 13:05 -0400, Jimmy wrote: Once I changed the password for 'admin' I now get this error on the windows system: Insufficient system resources exist to complete the requested service and get this in the log no matter if I use the correct(changed) password or if I use a known bad password: Sep 19 17:01:19 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ (7 etypes {18 17 23 3 1 24 -135}) 192.168.201.9: NEEDED_PREAUTH: ad...@pdh.csp for krbtgt/pdh@pdh.csp, Additional pre-authentication required I even deleted the user and all associated profile information on the windows system and still it won't work any more. Ok somehow we generate a key the windows client doesn't like or know how to work with. While MIT's clients are just fine with. The way we generate keys is by setting a special random seed that is handed back to the client when the preauth error is generated, perhaps Windows is not liking what it sees ? Any chance you can try with an older client, I wonder if it is a regression in win7 ? Simo. -- Simo Sorce * Red Hat, Inc * New York -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Windows client logon
What error exactly do you get on the client side ? Simo. On Mon, 2011-09-19 at 15:53 -0400, Jimmy wrote: I have a WinXP client configured to authenticate now but it looks like FreeIPA is sending the ticket encrypted with AES and XP does not support AES. The user is getting authenticated, just not able to decrypt the ticket. Sep 19 19:50:36 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ (7 etypes {23 -133 -128 3 1 24 -135}) 192.168.201.150: NEEDED_PREAUTH: o...@pdh.csp for krbtgt/pdh@pdh.csp, Additional pre-authentication required Sep 19 19:50:36 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ (1 etypes {23}) 192.168.201.150: ISSUE: authtime 1316461836, etypes {rep=23 tkt=18 ses=23}, o...@pdh.csp for krbtgt/pdh@pdh.csp Sep 19 19:50:37 csp-idm.pdh.csp krb5kdc[1246](info): TGS_REQ (7 etypes {23 -133 -128 3 1 24 -135}) 192.168.201.150: ISSUE: authtime 1316461836, etypes {rep=23 tkt=18 ses=23}, o...@pdh.csp for host/crm1.pdh@pdh.csp On Mon, Sep 19, 2011 at 1:32 PM, Simo Sorce s...@redhat.com wrote: On Mon, 2011-09-19 at 13:05 -0400, Jimmy wrote: Once I changed the password for 'admin' I now get this error on the windows system: Insufficient system resources exist to complete the requested service and get this in the log no matter if I use the correct(changed) password or if I use a known bad password: Sep 19 17:01:19 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ (7 etypes {18 17 23 3 1 24 -135}) 192.168.201.9: NEEDED_PREAUTH: ad...@pdh.csp for krbtgt/pdh@pdh.csp, Additional pre-authentication required I even deleted the user and all associated profile information on the windows system and still it won't work any more. Ok somehow we generate a key the windows client doesn't like or know how to work with. While MIT's clients are just fine with. The way we generate keys is by setting a special random seed that is handed back to the client when the preauth error is generated, perhaps Windows is not liking what it sees ? Any chance you can try with an older client, I wonder if it is a regression in win7 ? Simo. -- Simo Sorce * Red Hat, Inc * New York -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Windows client logon
Ah stupid me, When using Windows XP you must generate a keytab that does not use the AES enctype. If you include the AES enctype when generating keys for the host, you are telling the KDC that the host knows how to use AES. You should probably just use arcfour only for WinXP as that client only understand RC4 and DES, and DES is not worth using. Simo. On Mon, 2011-09-19 at 15:53 -0400, Jimmy wrote: I have a WinXP client configured to authenticate now but it looks like FreeIPA is sending the ticket encrypted with AES and XP does not support AES. The user is getting authenticated, just not able to decrypt the ticket. Sep 19 19:50:36 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ (7 etypes {23 -133 -128 3 1 24 -135}) 192.168.201.150: NEEDED_PREAUTH: o...@pdh.csp for krbtgt/pdh@pdh.csp, Additional pre-authentication required Sep 19 19:50:36 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ (1 etypes {23}) 192.168.201.150: ISSUE: authtime 1316461836, etypes {rep=23 tkt=18 ses=23}, o...@pdh.csp for krbtgt/pdh@pdh.csp Sep 19 19:50:37 csp-idm.pdh.csp krb5kdc[1246](info): TGS_REQ (7 etypes {23 -133 -128 3 1 24 -135}) 192.168.201.150: ISSUE: authtime 1316461836, etypes {rep=23 tkt=18 ses=23}, o...@pdh.csp for host/crm1.pdh@pdh.csp On Mon, Sep 19, 2011 at 1:32 PM, Simo Sorce s...@redhat.com wrote: On Mon, 2011-09-19 at 13:05 -0400, Jimmy wrote: Once I changed the password for 'admin' I now get this error on the windows system: Insufficient system resources exist to complete the requested service and get this in the log no matter if I use the correct(changed) password or if I use a known bad password: Sep 19 17:01:19 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ (7 etypes {18 17 23 3 1 24 -135}) 192.168.201.9: NEEDED_PREAUTH: ad...@pdh.csp for krbtgt/pdh@pdh.csp, Additional pre-authentication required I even deleted the user and all associated profile information on the windows system and still it won't work any more. Ok somehow we generate a key the windows client doesn't like or know how to work with. While MIT's clients are just fine with. The way we generate keys is by setting a special random seed that is handed back to the client when the preauth error is generated, perhaps Windows is not liking what it sees ? Any chance you can try with an older client, I wonder if it is a regression in win7 ? Simo. -- Simo Sorce * Red Hat, Inc * New York -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Windows client logon
According to this: http://mit.edu/kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-admin/Supported-Encryption-Types.htmlthere are a ton of encryption options that XP does support, but I always get this error if I define anything specific in the keytab: Sep 19 20:09:30 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ (7 etypes {23 -133 -128 3 1 24 -135}) 192.168.201.150: NEEDED_PREAUTH: o...@pdh.csp for krbtgt/pdh@pdh.csp, Additional pre-authentication required Sep 19 20:09:30 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ (1 etypes {23}) 192.168.201.150: ISSUE: authtime 1316462970, etypes {rep=23 tkt=18 ses=23}, o...@pdh.csp for krbtgt/pdh@pdh.csp Sep 19 20:09:31 csp-idm.pdh.csp krb5kdc[1246](info): TGS_REQ (7 etypes {23 -133 -128 3 1 24 -135}) 192.168.201.150: BAD_ENCRYPTION_TYPE: authtime 0, o...@pdh.csp for host/crm1.pdh@pdh.csp, KDC has no support for encryption type There is a fix for Win7. I have a technet article I will post the link as soon as I can. I had the Win7 system working with the freeipa 'admin' user before I changed the admin user password, now it's broken. The MIT KFW client can authenticate and get a ticket, but I need to get the native windows authentication working. Thanks ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Windows client logon
On Mon, 2011-09-19 at 16:17 -0400, Jimmy wrote: According to this: http://mit.edu/kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-admin/Supported-Encryption-Types.html there are a ton of encryption options that XP does support, but I always get this error if I define anything specific in the keytab: I know for a fact that stock WinXp supports only RC4 and DES, no 3DES nor AAES support there. If you create the host keytab with only RC4 you should be able to make WinXp happy. Sep 19 20:09:30 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ (7 etypes {23 -133 -128 3 1 24 -135}) 192.168.201.150: NEEDED_PREAUTH: o...@pdh.csp for krbtgt/pdh@pdh.csp, Additional pre-authentication required Sep 19 20:09:30 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ (1 etypes {23}) 192.168.201.150: ISSUE: authtime 1316462970, etypes {rep=23 tkt=18 ses=23}, o...@pdh.csp for krbtgt/pdh@pdh.csp Sep 19 20:09:31 csp-idm.pdh.csp krb5kdc[1246](info): TGS_REQ (7 etypes {23 -133 -128 3 1 24 -135}) 192.168.201.150: BAD_ENCRYPTION_TYPE: authtime 0, o...@pdh.csp for host/crm1.pdh@pdh.csp, KDC has no support for encryption type There is a fix for Win7. I have a technet article I will post the link as soon as I can. Yes please let me know the link, I will try to investigate any Win7/W2K8 issues with AES and random salts asap, but not this week probably. I had the Win7 system working with the freeipa 'admin' user before I changed the admin user password, now it's broken. The MIT KFW client can authenticate and get a ticket, but I need to get the native windows authentication working. Understood. If AES is the issue, you could reconfigure FreeIPA to not allow AES, not ideal, but it would be the fastest solution. Although it will probably require also to change all passwords. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Windows client logon
You are correct. As soon as I set the WinXP machine to arcfour-hmac it's working to authenticate all users against the FreeIPA realm. I just went into gpedit.msc on the Win7 system and ste it to only do rc4-hmac-md5 and maybe that will fix it, too. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Windows client logon
That fixed Win7. Now I'm going to enable AES on Win7 to see if it breaks again. On Mon, Sep 19, 2011 at 4:44 PM, Jimmy g17ji...@gmail.com wrote: You are correct. As soon as I set the WinXP machine to arcfour-hmac it's working to authenticate all users against the FreeIPA realm. I just went into gpedit.msc on the Win7 system and ste it to only do rc4-hmac-md5 and maybe that will fix it, too. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Windows client logon
I can't find the technet article right now, but here's what I did that makes Win7 work. Run gpedit.msc. Under Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options open the key called “Network Security: Configure encryption types allowed for Kerberos” unselect everything except RC4_HMAC_MD5 and reboot. Step by step instructions below. AES worked at first for me but that was only for the IPA user `admin` and even that broke after I changed the `admin` password using the windows change password dialog. I will be submitting that tracefile and log to MS to see what might be happening. On FreeIPA: i.create the host principal in the web interface ii. create IPA users to correspond to windows users iii. reset the user's IPA password to a known password using the web interface, the user will be prompted to change at first log in. (is there a default password or is this random? sorry if that's somewhere else in docs and I missed it) iv.on the IPA server run `ipa-getkeytab -s [kdc DNS name] -p host/[machine-name] -e arcfour-hmac -k krb5.keytab.[machine-name] -P configure windows ksetup: i.ksetup /setdomain [REALM NAME] ii.ksetup /addkdc [REALM NAME] [kdc DNS name] iii.ksetup /addkpassword [REALM NAME] [kdc DNS name] iv.ksetup /setcomputerpassword [PASSWORD] v.ksetup /mapuser * * vi. Run gpedit.msc. Under Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options open the key called “Network Security: Configure encryption types allowed for Kerberos” unselect everything except RC4_HMAC_MD5 vii.*** REBOOT *** viii. log in as [user]@[REALM] with the initial password, you will be prompted to change the password then logged in. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Windows client logon
I tried that but still cannot successfully log in as a IPA user. The same system can be configured as a Kerberos client(non-IPA) defined in MIT Kerberos, and authenticate against MIT Kerberos. The system uses AES when authenticating to MIT Kerberos so those are the only encryption types I defined manually. In the network trace for this transaction I see the error KRB_AP_ERR_BAD_INTEGRITY (31) Commands used(different iterations): ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -k krb5.keytab -P[entering into the main keytab /etc/krb5.keytab] ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -k krb5.keytab.sys1 -P [entering into a new keytab krb5.keytab.sys1] ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e aes256-cts-hmac-sha1-96 -k krb5.keytab -P ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e aes128-cts-hmac-sha1-96 -k krb5.keytab -P ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e aes256-cts-hmac-sha1-96 -k krb5.keytab.sys1 -P ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e aes128-cts-hmac-sha1-96 -k krb5.keytab.sys1 -P Log entries: Sep 15 21:21:04 csp-idm.pdh.csp krb5kdc[1227](info): AS_REQ (7 etypes {18 17 23 3 1 24 -135}) 192.168.201.9: NEEDED_PREAUTH: o...@pdh.csp for krbtgt/pdh@pdh.csp, Additional pre-authentication required Sep 15 21:21:04 csp-idm.pdh.csp krb5kdc[1227](info): preauth (timestamp) verify failure: Decrypt integrity check failed Sep 15 21:21:04 csp-idm.pdh.csp krb5kdc[1227](info): AS_REQ (7 etypes {18 17 23 3 1 24 -135}) 192.168.201.9: PREAUTH_FAILED: o...@pdh.csp for krbtgt/pdh@pdh.csp, Decrypt integrity check failed Sep 15 21:21:04 csp-idm.pdh.csp krb5kdc[1227](info): preauth (timestamp) verify failure: Decrypt integrity check failed Sep 15 21:21:04 csp-idm.pdh.csp krb5kdc[1227](info): AS_REQ (7 etypes {18 17 23 3 1 24 -135}) 192.168.201.9: PREAUTH_FAILED: o...@pdh.csp for krbtgt/pdh@pdh.csp, Decrypt integrity check failed ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Windows client logon
On Fri, 2011-09-16 at 09:31 -0400, Jimmy wrote: ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -k krb5.keytab -P[entering into the main keytab /etc/krb5.keytab] ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -k krb5.keytab.sys1 -P [entering into a new keytab krb5.keytab.sys1] ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e aes256-cts-hmac-sha1-96 -k krb5.keytab -P ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e aes128-cts-hmac-sha1-96 -k krb5.keytab -P ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e aes256-cts-hmac-sha1-96 -k krb5.keytab.sys1 -P ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e aes128-cts-hmac-sha1-96 -k krb5.keytab.sys1 -P This is not how it works. You must define all types in one single go. Every time you invoke ipa-getkeytab for a principal you are discarding any previous key in the KDC, and only the last one is available. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Windows client logon
When I do not specify the encryption type it does put them all in in a single go. I just was attempting to eliminate the other types in case that was creating a problem. The system defaults to type x18 (aes256-cts-hmac-sha1-96). Thanks for your help on this. [root@csp-idm etc]# klist -kte krb5.keytab.sys1 Keytab name: WRFILE:krb5.keytab.sys1 KVNO Timestamp Principal - 6 09/16/11 13:40:03 host/ews1-cybsec.pdh@pdh.csp(aes256-cts-hmac-sha1-96) 6 09/16/11 13:40:03 host/ews1-cybsec.pdh@pdh.csp(aes128-cts-hmac-sha1-96) 6 09/16/11 13:40:04 host/ews1-cybsec.pdh@pdh.csp (des3-cbc-sha1) 6 09/16/11 13:40:04 host/ews1-cybsec.pdh@pdh.csp (arcfour-hmac) On Fri, Sep 16, 2011 at 9:35 AM, Simo Sorce s...@redhat.com wrote: On Fri, 2011-09-16 at 09:31 -0400, Jimmy wrote: ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -k krb5.keytab -P[entering into the main keytab /etc/krb5.keytab] ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -k krb5.keytab.sys1 -P [entering into a new keytab krb5.keytab.sys1] ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e aes256-cts-hmac-sha1-96 -k krb5.keytab -P ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e aes128-cts-hmac-sha1-96 -k krb5.keytab -P ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e aes256-cts-hmac-sha1-96 -k krb5.keytab.sys1 -P ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e aes128-cts-hmac-sha1-96 -k krb5.keytab.sys1 -P This is not how it works. You must define all types in one single go. Every time you invoke ipa-getkeytab for a principal you are discarding any previous key in the KDC, and only the last one is available. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Windows client logon
This was installed using yum. I need to be able to authenticate users against Kerberos from a Windows client machine and it fails at login saying the username/password is incorrect. The krb5kdc.log shows: Sep 16 20:53:32 csp-idm.pdh.csp krb5kdc[1227](info): AS_REQ (7 etypes {18 17 23 3 1 24 -135}) 192.168.201.9: NEEDED_PREAUTH: o...@pdh.csp for krbtgt/pdh@pdh.csp, Additional pre-authentication required Sep 16 20:53:32 csp-idm.pdh.csp krb5kdc[1227](info): preauth (timestamp) verify failure: Decrypt integrity check failed Sep 16 20:53:32 csp-idm.pdh.csp krb5kdc[1227](info): AS_REQ (7 etypes {18 17 23 3 1 24 -135}) 192.168.201.9: PREAUTH_FAILED: o...@pdh.csp for krbtgt/pdh@pdh.csp, Decrypt integrity check failed Sep 16 20:53:32 csp-idm.pdh.csp krb5kdc[1227](info): preauth (timestamp) verify failure: Decrypt integrity check failed Sep 16 20:53:32 csp-idm.pdh.csp krb5kdc[1227](info): AS_REQ (7 etypes {18 17 23 3 1 24 -135}) 192.168.201.9: PREAUTH_FAILED: o...@pdh.csp for krbtgt/pdh@pdh.csp, Decrypt integrity check failed I know the user's password I'm using is correct because I can kinit with that username/password on the IPA server. I used the ipa-getkeytab to set the machine password, but I'm not sure that it's doing what I would normally do in a stand alone MIT Kerberos server using kadmin. Using ksetup on the windows7 client I can reconfigure for a couple different realms and authentication works just fine, but I'm missing something on the IPA config that would allow the same authentication. Thanks,Jimmy On Fri, Sep 16, 2011 at 4:45 PM, Dmitri Pal d...@redhat.com wrote: On 09/16/2011 02:26 PM, Jimmy wrote: I can create a keytab using ipa-getkeytab for any entity, say for instance a user, and store a password in the keytab but as soon as the user attempts to kinit with the set password it expires and must be changed. Is this happening with the host(workstation) entities? Are you using latest hand built IPA from the master? There is a bug about passwords being expired. A more stable version is available from Fedora if you are using Fedora or from 2.1 branch. On Fri, Sep 16, 2011 at 9:44 AM, Jimmy g17ji...@gmail.com wrote: When I do not specify the encryption type it does put them all in in a single go. I just was attempting to eliminate the other types in case that was creating a problem. The system defaults to type x18 (aes256-cts-hmac-sha1-96). Thanks for your help on this. [root@csp-idm etc]# klist -kte krb5.keytab.sys1 Keytab name: WRFILE:krb5.keytab.sys1 KVNO Timestamp Principal - 6 09/16/11 13:40:03 host/ews1-cybsec.pdh@pdh.csp(aes256-cts-hmac-sha1-96) 6 09/16/11 13:40:03 host/ews1-cybsec.pdh@pdh.csp(aes128-cts-hmac-sha1-96) 6 09/16/11 13:40:04 host/ews1-cybsec.pdh@pdh.csp (des3-cbc-sha1) 6 09/16/11 13:40:04 host/ews1-cybsec.pdh@pdh.csp (arcfour-hmac) On Fri, Sep 16, 2011 at 9:35 AM, Simo Sorce s...@redhat.com wrote: On Fri, 2011-09-16 at 09:31 -0400, Jimmy wrote: ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -k krb5.keytab -P[entering into the main keytab /etc/krb5.keytab] ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -k krb5.keytab.sys1 -P [entering into a new keytab krb5.keytab.sys1] ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e aes256-cts-hmac-sha1-96 -k krb5.keytab -P ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e aes128-cts-hmac-sha1-96 -k krb5.keytab -P ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e aes256-cts-hmac-sha1-96 -k krb5.keytab.sys1 -P ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e aes128-cts-hmac-sha1-96 -k krb5.keytab.sys1 -P This is not how it works. You must define all types in one single go. Every time you invoke ipa-getkeytab for a principal you are discarding any previous key in the KDC, and only the last one is available. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs?www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Windows client logon
On Fri, 2011-09-16 at 17:24 -0400, Jimmy wrote: This was installed using yum. I need to be able to authenticate users against Kerberos from a Windows client machine and it fails at login saying the username/password is incorrect. The krb5kdc.log shows: Sep 16 20:53:32 csp-idm.pdh.csp krb5kdc[1227](info): AS_REQ (7 etypes {18 17 23 3 1 24 -135}) 192.168.201.9: NEEDED_PREAUTH: o...@pdh.csp for krbtgt/pdh@pdh.csp, Additional pre-authentication required Sep 16 20:53:32 csp-idm.pdh.csp krb5kdc[1227](info): preauth (timestamp) verify failure: Decrypt integrity check failed Sep 16 20:53:32 csp-idm.pdh.csp krb5kdc[1227](info): AS_REQ (7 etypes {18 17 23 3 1 24 -135}) 192.168.201.9: PREAUTH_FAILED: o...@pdh.csp for krbtgt/pdh@pdh.csp, Decrypt integrity check failed Sep 16 20:53:32 csp-idm.pdh.csp krb5kdc[1227](info): preauth (timestamp) verify failure: Decrypt integrity check failed Sep 16 20:53:32 csp-idm.pdh.csp krb5kdc[1227](info): AS_REQ (7 etypes {18 17 23 3 1 24 -135}) 192.168.201.9: PREAUTH_FAILED: o...@pdh.csp for krbtgt/pdh@pdh.csp, Decrypt integrity check failed These logs say that either the password is wrong, or the clock on your windows client is way off (more than 5 min. skew) wrt the ipa server. I know the user's password I'm using is correct because I can kinit with that username/password on the IPA server. I used the ipa-getkeytab to set the machine password, but I'm not sure that it's doing what I would normally do in a stand alone MIT Kerberos server using kadmin. Using ksetup on the windows7 client I can reconfigure for a couple different realms and authentication works just fine, but I'm missing something on the IPA config that would allow the same authentication. The reason to have a password (windows) or a keytab (unix) for the machine is to be able to validate the account against a possible rouge KDC+attacker at login prompt pair. But you are not even getting to the validation step as you are failing to get a TGT for the user in the first place. If the user password is right and your Freeipa REALM name is indeed PDH.CSP then it is probably clock skew. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Windows client logon
I'm still working on this... I was reading this post in the archives: http://www.mail-archive.com/freeipa-users@redhat.com/msg02049.html Dmitri's statement There might be some MIT documentation about how to join a Windows machine to MIT KDC. If this can be done I am sure the same can be done with IPA. should be true, but for the windows system to use authentication I have to be able to set the host password in Kerberos. There doesn't seem to be a way to do that in the FreeIPA interface. I would normally do that in kadmin if working directly in kerberos, but that's not possible either. *IS* there a way to set the host password so that machines can provide user authentication for a windows client? ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Windows client logon
On Thu, 2011-09-15 at 17:51 -0400, Jimmy wrote: I'm still working on this... I was reading this post in the archives: http://www.mail-archive.com/freeipa-users@redhat.com/msg02049.html Dmitri's statement There might be some MIT documentation about how to join a Windows machine to MIT KDC. If this can be done I am sure the same can be done with IPA. should be true, but for the windows system to use authentication I have to be able to set the host password in Kerberos. There doesn't seem to be a way to do that in the FreeIPA interface. I would normally do that in kadmin if working directly in kerberos, but that's not possible either. *IS* there a way to set the host password so that machines can provide user authentication for a windows client? Use ipa-getkeytab with the -P option to specify a 'password' to use to generate the keys instead of letting it generate a random password. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Windows client logon
Just curious about this, the guide that we both refer to provides instructions for a windows client authentication but this page indicates that FreeIPA doesn't support windows clients: http://elladeon.fedorapeople.org/ipa/guide/Using_Microsoft_Windows.html Which is correct? On Tue, Sep 13, 2011 at 4:08 PM, Rob Crittenden rcrit...@redhat.com wrote: Jimmy wrote: I'm setting up a WinXP system to authenticate to FreeIPA. I followed the directions listed here: http://freeipa.org/page/Implementing_FreeIPA_in_a_mixed_Environment_%28Windows/Linux%29_-_Step_by_step I created the host account in FreeIPA, and the user, and I do get prompted to change the initial password(and it seems to work,) but as soon as the password is changed(or subsequent login attempts) I get the log in message the system cannot log you on now because the domain is not available The guide says this happens when you don't log in using the principal name, are you using that? rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Windows client logon
Jimmy wrote: Just curious about this, the guide that we both refer to provides instructions for a windows client authentication but this page indicates that FreeIPA doesn't support windows clients: http://elladeon.fedorapeople.org/ipa/guide/Using_Microsoft_Windows.html Which is correct? The guide you referred to was contributed by another FreeIPA user showing one way to get Windows login working. It does this by mapping all IPA users to a single windows user (ipauser). This is not practical for most installations so we don't recommend it. The roadmap for the next major release of FreeIPA adds AD trust so the IPA realm can be trusted as part of an AD forest. rob On Tue, Sep 13, 2011 at 4:08 PM, Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com wrote: Jimmy wrote: I'm setting up a WinXP system to authenticate to FreeIPA. I followed the directions listed here: http://freeipa.org/page/Implementing_FreeIPA_in_a_mixed_Environment_%28Windows/Linux%29_-_Step_by_step I created the host account in FreeIPA, and the user, and I do get prompted to change the initial password(and it seems to work,) but as soon as the password is changed(or subsequent login attempts) I get the log in message the system cannot log you on now because the domain is not available The guide says this happens when you don't log in using the principal name, are you using that? rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Windows client logon
One thing that doesn't quite make sense about the windows config instructions, we make a keytab, but there is no indication as to where the keytab goes. I wouldn't think the IPA server would need the keytab as the password is stored in the IPA server already. On Wed, Sep 14, 2011 at 10:07 AM, Rob Crittenden rcrit...@redhat.comwrote: Jimmy wrote: Just curious about this, the guide that we both refer to provides instructions for a windows client authentication but this page indicates that FreeIPA doesn't support windows clients: http://elladeon.fedorapeople.org/ipa/guide/Using_Microsoft_Windows.html Which is correct? The guide you referred to was contributed by another FreeIPA user showing one way to get Windows login working. It does this by mapping all IPA users to a single windows user (ipauser). This is not practical for most installations so we don't recommend it. The roadmap for the next major release of FreeIPA adds AD trust so the IPA realm can be trusted as part of an AD forest. rob On Tue, Sep 13, 2011 at 4:08 PM, Rob Crittenden rcrit...@redhat.com mailto:rcrit...@redhat.com wrote: Jimmy wrote: I'm setting up a WinXP system to authenticate to FreeIPA. I followed the directions listed here: http://freeipa.org/page/Implementing_FreeIPA_in_a_mixed_Environment_%28Windows/Linux%29_-_Step_by_step I created the host account in FreeIPA, and the user, and I do get prompted to change the initial password(and it seems to work,) but as soon as the password is changed(or subsequent login attempts) I get the log in message the system cannot log you on now because the domain is not available The guide says this happens when you don't log in using the principal name, are you using that? rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Windows client logon
Jimmy wrote: I'm setting up a WinXP system to authenticate to FreeIPA. I followed the directions listed here: http://freeipa.org/page/Implementing_FreeIPA_in_a_mixed_Environment_%28Windows/Linux%29_-_Step_by_step I created the host account in FreeIPA, and the user, and I do get prompted to change the initial password(and it seems to work,) but as soon as the password is changed(or subsequent login attempts) I get the log in message the system cannot log you on now because the domain is not available The guide says this happens when you don't log in using the principal name, are you using that? rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users