Re: [Freeipa-users] Windows client authentication with OTP not supported

2017-05-11 Thread Alexander Bokovoy

On pe, 12 touko 2017, Felix Chu wrote:

Thanks your info. So it means we cannot use FreeIPA server if we
require MFA under Windows 2012?

Because our environment is under PCI-DSS cert, PCI-DSS 3.2 has new
requirement forcing MFA on non-console access to servers. That's why we
look for FreeIPA.

We do not even support the mode you are operating in -- we do not
support using Windows machines as clients to FreeIPA, as clearly stated
on the wiki page you have used to configure.

OTP in Kerberos supportability in Windows is not related to FreeIPA.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] Windows client authentication with OTP not supported

2017-05-11 Thread Felix Chu
Thanks your info. So it means we cannot use FreeIPA server if we require MFA 
under Windows 2012?

Because our environment is under PCI-DSS cert, PCI-DSS 3.2 has new requirement 
forcing MFA on non-console access to servers. That's why we look for FreeIPA.


-Original Message-
From: Alexander Bokovoy [mailto:aboko...@redhat.com]
Sent: Thursday, May 11, 2017 3:43 PM
To: Felix Chu
Cc: 'freeipa-users@redhat.com'
Subject: Re: [Freeipa-users] Windows client authentication with OTP not 
supported

On to, 11 touko 2017, Felix Chu wrote:
>Hi , I would like to implement SSO for my Linux+Windows2012 machines
>with MFA.
>
>I have installed FreeIPA, it works well  for my Linux client
>authentication with OTP enabled.  However, for Windows client, I can
>only make it works with FreeIPA without OTP.
>
>The Windows machines are 2012 R2 without AD(workgroup only). When I
>login Windows using FreeIPA user accounts enabled with OTP, it shows
>"An unsupported preauthentication mechanism was presented to the
>Kerberos package", is that not supported ? or something I configured
>wrong?
Windows does not support OTP in Kerberos the same way how MIT Kerberos does 
implement it.

--
/ Alexander Bokovoy
[http://www.bbpos.com/images/marketing/signature_banner.jpg]<http://bbpos.com>

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] Windows client authentication with OTP not supported

2017-05-11 Thread Alexander Bokovoy

On to, 11 touko 2017, Felix Chu wrote:

Hi , I would like to implement SSO for my Linux+Windows2012 machines
with MFA.

I have installed FreeIPA, it works well  for my Linux client
authentication with OTP enabled.  However, for Windows client, I can
only make it works with FreeIPA without OTP.

The Windows machines are 2012 R2 without AD(workgroup only). When I
login Windows using FreeIPA user accounts enabled with OTP, it shows
"An unsupported preauthentication mechanism was presented to the
Kerberos package", is that not supported ? or something I configured
wrong?

Windows does not support OTP in Kerberos the same way how MIT Kerberos
does implement it.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] Windows client

2014-02-19 Thread Alexander Bokovoy

On Wed, 19 Feb 2014, Mauricio Tavares wrote:

 When I added a windows 7 client (let's call it
windows.lan.domain.com), I had to go manually enter the domain (in
System Properties-Computer Name/Domain Changes-DNS Suffix and
netbios computer name) even though ipconfig would report it properly.
Otherwise, it would show in the kdc log file as windows$@DOMAIN.COM
instead of windows.lan.domain@domain.com. Does anyone know why? I
know the realm and the domain names are not quite the same (domain has
a lan in it), but should that matter?

Windows uses NetBIOS name$ as the machine name in TGT requests for the
host.

At this point we don't have means to correct this via IPA CLI. You need
to use ldapmodify directly and add 


   krbprincipalname: windows$DOMAIN.COM
   krbcanonicalname: HOST/windows.lan.domain@domain.com

to the host entry.

KrbPrincipalName can have multiple values and if there are more than
one, KrbCanonicalName should be set to the canonical version which is
the original KrbPrincipalName in IPA.



 On an unrelated note, in
http://www.freeipa.org/page/Windows_authentication_against_FreeIPA it
should be

ksetup /addkpasswd

not

ksetup /addkpassword

Corrected, thanks!

--
/ Alexander Bokovoy

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] Windows client

2014-02-19 Thread Simo Sorce
On Wed, 2014-02-19 at 20:34 +0200, Alexander Bokovoy wrote:
 On Wed, 19 Feb 2014, Mauricio Tavares wrote:
   When I added a windows 7 client (let's call it
 windows.lan.domain.com), I had to go manually enter the domain (in
 System Properties-Computer Name/Domain Changes-DNS Suffix and
 netbios computer name) even though ipconfig would report it properly.
 Otherwise, it would show in the kdc log file as windows$@DOMAIN.COM
 instead of windows.lan.domain@domain.com. Does anyone know why? I
 know the realm and the domain names are not quite the same (domain has
 a lan in it), but should that matter?
 Windows uses NetBIOS name$ as the machine name in TGT requests for the
 host.
 
 At this point we don't have means to correct this via IPA CLI. You need
 to use ldapmodify directly and add 
 
 krbprincipalname: windows$DOMAIN.COM
 krbcanonicalname: HOST/windows.lan.domain@domain.com

Note that 'host' here should be lower case.

Simo.

 to the host entry.
 
 KrbPrincipalName can have multiple values and if there are more than
 one, KrbCanonicalName should be set to the canonical version which is
 the original KrbPrincipalName in IPA.
 
 
   On an unrelated note, in
 http://www.freeipa.org/page/Windows_authentication_against_FreeIPA it
 should be
 
 ksetup /addkpasswd
 
 not
 
 ksetup /addkpassword
 Corrected, thanks!
 


-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] Windows client

2014-02-19 Thread Petr Spacek

On 19.2.2014 19:44, Simo Sorce wrote:

On Wed, 2014-02-19 at 20:34 +0200, Alexander Bokovoy wrote:

On Wed, 19 Feb 2014, Mauricio Tavares wrote:

  When I added a windows 7 client (let's call it
windows.lan.domain.com), I had to go manually enter the domain (in
System Properties-Computer Name/Domain Changes-DNS Suffix and
netbios computer name) even though ipconfig would report it properly.
Otherwise, it would show in the kdc log file as windows$@DOMAIN.COM
instead of windows.lan.domain@domain.com. Does anyone know why? I
know the realm and the domain names are not quite the same (domain has
a lan in it), but should that matter?

Windows uses NetBIOS name$ as the machine name in TGT requests for the
host.

At this point we don't have means to correct this via IPA CLI. You need
to use ldapmodify directly and add

 krbprincipalname: windows$DOMAIN.COM
 krbcanonicalname: HOST/windows.lan.domain@domain.com


Note that 'host' here should be lower case.


... And please note that 
http://www.freeipa.org/page/Windows_authentication_against_FreeIPA is an 
option of last resort.


Please use real trust between AD and IPA whenever possible:
http://www.freeipa.org/page/Trusts

Have a nice day!

Petr^2 Spacek


to the host entry.

KrbPrincipalName can have multiple values and if there are more than
one, KrbCanonicalName should be set to the canonical version which is
the original KrbPrincipalName in IPA.



  On an unrelated note, in
http://www.freeipa.org/page/Windows_authentication_against_FreeIPA it
should be

ksetup /addkpasswd

not

ksetup /addkpassword

Corrected, thanks!


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] Windows client

2014-02-19 Thread Mauricio Tavares
On Wed, Feb 19, 2014 at 2:02 PM, Petr Spacek pspa...@redhat.com wrote:
 On 19.2.2014 19:44, Simo Sorce wrote:

 On Wed, 2014-02-19 at 20:34 +0200, Alexander Bokovoy wrote:

 On Wed, 19 Feb 2014, Mauricio Tavares wrote:

   When I added a windows 7 client (let's call it
 windows.lan.domain.com), I had to go manually enter the domain (in
 System Properties-Computer Name/Domain Changes-DNS Suffix and
 netbios computer name) even though ipconfig would report it properly.
 Otherwise, it would show in the kdc log file as windows$@DOMAIN.COM
 instead of windows.lan.domain@domain.com. Does anyone know why? I
 know the realm and the domain names are not quite the same (domain has
 a lan in it), but should that matter?

 Windows uses NetBIOS name$ as the machine name in TGT requests for the
 host.

 At this point we don't have means to correct this via IPA CLI. You need
 to use ldapmodify directly and add

  krbprincipalname: windows$DOMAIN.COM
  krbcanonicalname: HOST/windows.lan.domain@domain.com


 Note that 'host' here should be lower case.


 ... And please note that
 http://www.freeipa.org/page/Windows_authentication_against_FreeIPA is an
 option of last resort.

 Please use real trust between AD and IPA whenever possible:
 http://www.freeipa.org/page/Trusts

  Would not having an AD server be eligible for the option of last resort?

 Have a nice day!

 Petr^2 Spacek


 to the host entry.

 KrbPrincipalName can have multiple values and if there are more than
 one, KrbCanonicalName should be set to the canonical version which is
 the original KrbPrincipalName in IPA.


   On an unrelated note, in
 http://www.freeipa.org/page/Windows_authentication_against_FreeIPA it
 should be

 ksetup /addkpasswd

 not

 ksetup /addkpassword

 Corrected, thanks!


 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] Windows client

2014-02-19 Thread Petr Spacek

On 19.2.2014 20:10, Mauricio Tavares wrote:

On Wed, Feb 19, 2014 at 2:02 PM, Petr Spacek pspa...@redhat.com wrote:

On 19.2.2014 19:44, Simo Sorce wrote:


On Wed, 2014-02-19 at 20:34 +0200, Alexander Bokovoy wrote:


On Wed, 19 Feb 2014, Mauricio Tavares wrote:


   When I added a windows 7 client (let's call it
windows.lan.domain.com), I had to go manually enter the domain (in
System Properties-Computer Name/Domain Changes-DNS Suffix and
netbios computer name) even though ipconfig would report it properly.
Otherwise, it would show in the kdc log file as windows$@DOMAIN.COM
instead of windows.lan.domain@domain.com. Does anyone know why? I
know the realm and the domain names are not quite the same (domain has
a lan in it), but should that matter?


Windows uses NetBIOS name$ as the machine name in TGT requests for the
host.

At this point we don't have means to correct this via IPA CLI. You need
to use ldapmodify directly and add

  krbprincipalname: windows$DOMAIN.COM
  krbcanonicalname: HOST/windows.lan.domain@domain.com



Note that 'host' here should be lower case.



... And please note that
http://www.freeipa.org/page/Windows_authentication_against_FreeIPA is an
option of last resort.

Please use real trust between AD and IPA whenever possible:
http://www.freeipa.org/page/Trusts


   Would not having an AD server be eligible for the option of last resort?


Sure, when Samba 4 has an ability to create trust with IPA :-)

Seriously, if you have non-trivial network with Windows clients you really 
need something for managing them - most likely AD or Samba 4. Unfortunately, 
Samba 4 is not able to create trust with IPA right now.


Petr^2 Spacek


to the host entry.

KrbPrincipalName can have multiple values and if there are more than
one, KrbCanonicalName should be set to the canonical version which is
the original KrbPrincipalName in IPA.



   On an unrelated note, in
http://www.freeipa.org/page/Windows_authentication_against_FreeIPA it
should be

ksetup /addkpasswd

not

ksetup /addkpassword


Corrected, thanks!



--
Petr^2 Spacek

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] Windows client logon

2011-09-19 Thread Simo Sorce
On Mon, 2011-09-19 at 10:10 -0400, Jimmy wrote:
 I have verified that the password set for the workstation in the
 kerberos host principal(using ipa-getkeytab) and the password on the
 host (using ksetup) are the same. I'm still getting the  Decrypt
 integrity check failed errors. I have also verified that the system
 clock is accurate on both the KDC and the workstation. What else could
 be causing this? As I have said, this system authenticates flawlessly
 against other KDC's I have set up.

The thing that is failing is your user password does not check with what
the KDC thinks is the user's secret. You are not yet to the stage where
the machine password is tried.

Simo.
 

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] Windows client logon

2011-09-19 Thread Simo Sorce
On Mon, 2011-09-19 at 10:58 -0400, Jimmy wrote:
 I think you're on to something here. I just reset the user's password
 on IPA and get the password expired message but I get that
 regardless of what I enter for the user's password. I'm confused as to
 why I can make the user auth work with a normal KDC but I'm having so
 much trouble with IPA-KDC. Going to wipe the Win7 config and start
 fresh on that system. 

Not sure wht you are having trouble, the KDC component of IPA is a stock
MIT KDC with LDAP backend.
 
Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] Windows client logon

2011-09-19 Thread Jimmy
I have a WinXP client configured to authenticate now but it looks like
FreeIPA is sending the ticket encrypted with AES and XP does not support
AES. The user is getting authenticated, just not able to decrypt the ticket.

Sep 19 19:50:36 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ (7 etypes {23
-133 -128 3 1 24 -135}) 192.168.201.150: NEEDED_PREAUTH: o...@pdh.csp for
krbtgt/pdh@pdh.csp, Additional pre-authentication required
Sep 19 19:50:36 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ (1 etypes {23})
192.168.201.150: ISSUE: authtime 1316461836, etypes {rep=23 tkt=18 ses=23},
o...@pdh.csp for krbtgt/pdh@pdh.csp
Sep 19 19:50:37 csp-idm.pdh.csp krb5kdc[1246](info): TGS_REQ (7 etypes {23
-133 -128 3 1 24 -135}) 192.168.201.150: ISSUE: authtime 1316461836, etypes
{rep=23 tkt=18 ses=23}, o...@pdh.csp for host/crm1.pdh@pdh.csp


On Mon, Sep 19, 2011 at 1:32 PM, Simo Sorce s...@redhat.com wrote:

 On Mon, 2011-09-19 at 13:05 -0400, Jimmy wrote:
  Once I changed the password for 'admin' I now get this error on the
  windows system:
 
 
 
  Insufficient system resources exist to complete the requested service
 
 
  and get this in the log no matter if I use the correct(changed)
  password or if I use a known bad password:
  Sep 19 17:01:19 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ (7 etypes
  {18 17 23 3 1 24 -135}) 192.168.201.9: NEEDED_PREAUTH: ad...@pdh.csp
  for krbtgt/pdh@pdh.csp, Additional pre-authentication required
 
 
  I even deleted the user and all associated profile information on the
  windows system and still it won't work any more.
 
 
 Ok somehow we generate a key the windows client doesn't like or know how
 to work with. While MIT's clients are just fine with.
 The way we generate keys is by setting a special random seed that is
 handed back to the client when the preauth error is generated, perhaps
 Windows is not liking what it sees ?

 Any chance you can try with an older client, I wonder if it is a
 regression in win7 ?

 Simo.

 --
 Simo Sorce * Red Hat, Inc * New York


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Windows client logon

2011-09-19 Thread Simo Sorce
I wonder if changing the defaults to exclude the use of AES would help
in your case.

Not ideal, but apparently something funny is going on there.

Simo.

On Mon, 2011-09-19 at 15:53 -0400, Jimmy wrote:
 I have a WinXP client configured to authenticate now but it looks like
 FreeIPA is sending the ticket encrypted with AES and XP does not
 support AES. The user is getting authenticated, just not able to
 decrypt the ticket.
 
 
 
 Sep 19 19:50:36 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ (7 etypes
 {23 -133 -128 3 1 24 -135}) 192.168.201.150: NEEDED_PREAUTH:
 o...@pdh.csp for krbtgt/pdh@pdh.csp, Additional pre-authentication
 required
 Sep 19 19:50:36 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ (1 etypes
 {23}) 192.168.201.150: ISSUE: authtime 1316461836, etypes {rep=23
 tkt=18 ses=23}, o...@pdh.csp for krbtgt/pdh@pdh.csp
 Sep 19 19:50:37 csp-idm.pdh.csp krb5kdc[1246](info): TGS_REQ (7 etypes
 {23 -133 -128 3 1 24 -135}) 192.168.201.150: ISSUE: authtime
 1316461836, etypes {rep=23 tkt=18 ses=23}, o...@pdh.csp for
 host/crm1.pdh@pdh.csp
 
 
 
 On Mon, Sep 19, 2011 at 1:32 PM, Simo Sorce s...@redhat.com wrote:
 On Mon, 2011-09-19 at 13:05 -0400, Jimmy wrote:
  Once I changed the password for 'admin' I now get this error
 on the
  windows system:
 
 
 
  Insufficient system resources exist to complete the
 requested service
 
 
  and get this in the log no matter if I use the
 correct(changed)
  password or if I use a known bad password:
  Sep 19 17:01:19 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ
 (7 etypes
  {18 17 23 3 1 24 -135}) 192.168.201.9: NEEDED_PREAUTH:
 ad...@pdh.csp
  for krbtgt/pdh@pdh.csp, Additional pre-authentication
 required
 
 
  I even deleted the user and all associated profile
 information on the
  windows system and still it won't work any more.
 
 
 
 Ok somehow we generate a key the windows client doesn't like
 or know how
 to work with. While MIT's clients are just fine with.
 The way we generate keys is by setting a special random seed
 that is
 handed back to the client when the preauth error is generated,
 perhaps
 Windows is not liking what it sees ?
 
 Any chance you can try with an older client, I wonder if it is
 a
 regression in win7 ?
 
 Simo.
 
 --
 Simo Sorce * Red Hat, Inc * New York
 
 
 

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] Windows client logon

2011-09-19 Thread Simo Sorce
What error exactly do you get on the client side ?

Simo.

On Mon, 2011-09-19 at 15:53 -0400, Jimmy wrote:
 I have a WinXP client configured to authenticate now but it looks like
 FreeIPA is sending the ticket encrypted with AES and XP does not
 support AES. The user is getting authenticated, just not able to
 decrypt the ticket.
 
 
 
 Sep 19 19:50:36 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ (7 etypes
 {23 -133 -128 3 1 24 -135}) 192.168.201.150: NEEDED_PREAUTH:
 o...@pdh.csp for krbtgt/pdh@pdh.csp, Additional pre-authentication
 required
 Sep 19 19:50:36 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ (1 etypes
 {23}) 192.168.201.150: ISSUE: authtime 1316461836, etypes {rep=23
 tkt=18 ses=23}, o...@pdh.csp for krbtgt/pdh@pdh.csp
 Sep 19 19:50:37 csp-idm.pdh.csp krb5kdc[1246](info): TGS_REQ (7 etypes
 {23 -133 -128 3 1 24 -135}) 192.168.201.150: ISSUE: authtime
 1316461836, etypes {rep=23 tkt=18 ses=23}, o...@pdh.csp for
 host/crm1.pdh@pdh.csp
 
 
 
 On Mon, Sep 19, 2011 at 1:32 PM, Simo Sorce s...@redhat.com wrote:
 On Mon, 2011-09-19 at 13:05 -0400, Jimmy wrote:
  Once I changed the password for 'admin' I now get this error
 on the
  windows system:
 
 
 
  Insufficient system resources exist to complete the
 requested service
 
 
  and get this in the log no matter if I use the
 correct(changed)
  password or if I use a known bad password:
  Sep 19 17:01:19 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ
 (7 etypes
  {18 17 23 3 1 24 -135}) 192.168.201.9: NEEDED_PREAUTH:
 ad...@pdh.csp
  for krbtgt/pdh@pdh.csp, Additional pre-authentication
 required
 
 
  I even deleted the user and all associated profile
 information on the
  windows system and still it won't work any more.
 
 
 
 Ok somehow we generate a key the windows client doesn't like
 or know how
 to work with. While MIT's clients are just fine with.
 The way we generate keys is by setting a special random seed
 that is
 handed back to the client when the preauth error is generated,
 perhaps
 Windows is not liking what it sees ?
 
 Any chance you can try with an older client, I wonder if it is
 a
 regression in win7 ?
 
 Simo.
 
 --
 Simo Sorce * Red Hat, Inc * New York
 
 
 

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] Windows client logon

2011-09-19 Thread Simo Sorce
Ah stupid me,
When using Windows XP you must generate a keytab that does not use the
AES enctype. If you include the AES enctype when generating keys for the
host, you are telling the KDC that the host knows how to use AES.

You should probably just use arcfour only for WinXP as that client only
understand RC4 and DES, and DES is not worth using.

Simo.

On Mon, 2011-09-19 at 15:53 -0400, Jimmy wrote:
 I have a WinXP client configured to authenticate now but it looks like
 FreeIPA is sending the ticket encrypted with AES and XP does not
 support AES. The user is getting authenticated, just not able to
 decrypt the ticket.
 
 
 
 Sep 19 19:50:36 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ (7 etypes
 {23 -133 -128 3 1 24 -135}) 192.168.201.150: NEEDED_PREAUTH:
 o...@pdh.csp for krbtgt/pdh@pdh.csp, Additional pre-authentication
 required
 Sep 19 19:50:36 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ (1 etypes
 {23}) 192.168.201.150: ISSUE: authtime 1316461836, etypes {rep=23
 tkt=18 ses=23}, o...@pdh.csp for krbtgt/pdh@pdh.csp
 Sep 19 19:50:37 csp-idm.pdh.csp krb5kdc[1246](info): TGS_REQ (7 etypes
 {23 -133 -128 3 1 24 -135}) 192.168.201.150: ISSUE: authtime
 1316461836, etypes {rep=23 tkt=18 ses=23}, o...@pdh.csp for
 host/crm1.pdh@pdh.csp
 
 
 
 On Mon, Sep 19, 2011 at 1:32 PM, Simo Sorce s...@redhat.com wrote:
 On Mon, 2011-09-19 at 13:05 -0400, Jimmy wrote:
  Once I changed the password for 'admin' I now get this error
 on the
  windows system:
 
 
 
  Insufficient system resources exist to complete the
 requested service
 
 
  and get this in the log no matter if I use the
 correct(changed)
  password or if I use a known bad password:
  Sep 19 17:01:19 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ
 (7 etypes
  {18 17 23 3 1 24 -135}) 192.168.201.9: NEEDED_PREAUTH:
 ad...@pdh.csp
  for krbtgt/pdh@pdh.csp, Additional pre-authentication
 required
 
 
  I even deleted the user and all associated profile
 information on the
  windows system and still it won't work any more.
 
 
 
 Ok somehow we generate a key the windows client doesn't like
 or know how
 to work with. While MIT's clients are just fine with.
 The way we generate keys is by setting a special random seed
 that is
 handed back to the client when the preauth error is generated,
 perhaps
 Windows is not liking what it sees ?
 
 Any chance you can try with an older client, I wonder if it is
 a
 regression in win7 ?
 
 Simo.
 
 --
 Simo Sorce * Red Hat, Inc * New York
 
 
 

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] Windows client logon

2011-09-19 Thread Jimmy
According to this:
http://mit.edu/kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-admin/Supported-Encryption-Types.htmlthere
are a ton of encryption options that XP does support, but I always get
this error if I define anything specific in the keytab:

Sep 19 20:09:30 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ (7 etypes {23
-133 -128 3 1 24 -135}) 192.168.201.150: NEEDED_PREAUTH: o...@pdh.csp for
krbtgt/pdh@pdh.csp, Additional pre-authentication required
Sep 19 20:09:30 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ (1 etypes {23})
192.168.201.150: ISSUE: authtime 1316462970, etypes {rep=23 tkt=18 ses=23},
o...@pdh.csp for krbtgt/pdh@pdh.csp
Sep 19 20:09:31 csp-idm.pdh.csp krb5kdc[1246](info): TGS_REQ (7 etypes {23
-133 -128 3 1 24 -135}) 192.168.201.150: BAD_ENCRYPTION_TYPE: authtime 0,
o...@pdh.csp for host/crm1.pdh@pdh.csp, KDC has no support for
encryption type

There is a fix for Win7. I have a technet article I will post the link as
soon as I can. I had the Win7 system working with the freeipa 'admin' user
before I changed the admin user password, now it's broken. The MIT KFW
client can authenticate and get a ticket, but I need to get the native
windows authentication working.
Thanks
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Windows client logon

2011-09-19 Thread Simo Sorce
On Mon, 2011-09-19 at 16:17 -0400, Jimmy wrote:
 According to this:
 http://mit.edu/kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-admin/Supported-Encryption-Types.html
  there are a ton of encryption options that XP does support, but I always get 
 this error if I define anything specific in the keytab:

I know for a fact that stock WinXp supports only RC4 and DES, no 3DES
nor AAES support there.

If you create the host keytab with only RC4 you should be able to make
WinXp happy.

 Sep 19 20:09:30 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ (7 etypes
 {23 -133 -128 3 1 24 -135}) 192.168.201.150: NEEDED_PREAUTH:
 o...@pdh.csp for krbtgt/pdh@pdh.csp, Additional pre-authentication
 required
 Sep 19 20:09:30 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ (1 etypes
 {23}) 192.168.201.150: ISSUE: authtime 1316462970, etypes {rep=23
 tkt=18 ses=23}, o...@pdh.csp for krbtgt/pdh@pdh.csp
 Sep 19 20:09:31 csp-idm.pdh.csp krb5kdc[1246](info): TGS_REQ (7 etypes
 {23 -133 -128 3 1 24 -135}) 192.168.201.150: BAD_ENCRYPTION_TYPE:
 authtime 0, o...@pdh.csp for host/crm1.pdh@pdh.csp, KDC has no
 support for encryption type
 

 There is a fix for Win7. I have a technet article I will post the link
 as soon as I can.

Yes please let me know the link, I will try to investigate any Win7/W2K8
issues with AES and random salts asap, but not this week probably.

 I had the Win7 system working with the freeipa 'admin' user before I
 changed the admin user password, now it's broken. The MIT KFW client
 can authenticate and get a ticket, but I need to get the native
 windows authentication working.

Understood.

If AES is the issue, you could reconfigure FreeIPA to not allow AES, not
ideal, but it would be the fastest solution. Although it will probably
require also to change all passwords.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] Windows client logon

2011-09-19 Thread Jimmy
You are correct. As soon as I set the WinXP machine to arcfour-hmac it's
working to authenticate all users against the FreeIPA realm. I just went
into gpedit.msc on the Win7 system and ste it to only do rc4-hmac-md5 and
maybe that will fix it, too.
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Windows client logon

2011-09-19 Thread Jimmy
That fixed Win7. Now I'm going to enable AES on Win7 to see if it breaks
again.

On Mon, Sep 19, 2011 at 4:44 PM, Jimmy g17ji...@gmail.com wrote:

 You are correct. As soon as I set the WinXP machine to arcfour-hmac it's
 working to authenticate all users against the FreeIPA realm. I just went
 into gpedit.msc on the Win7 system and ste it to only do rc4-hmac-md5 and
 maybe that will fix it, too.

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Windows client logon

2011-09-19 Thread Jimmy
I can't find the technet article right now, but here's what I did that
makes Win7 work.  Run gpedit.msc. Under Computer
Configuration\Windows Settings\Security Settings\Local
Policies\Security Options open the key called “Network Security:
Configure encryption types allowed for Kerberos” unselect everything
except RC4_HMAC_MD5 and reboot.  Step by step instructions below. AES
worked at first for me but that was only for the IPA user `admin` and
even that broke after I changed the `admin` password using the windows
change password dialog. I will be submitting that tracefile and log to
MS to see what might be happening.

On FreeIPA:

i.create the host principal in the web interface
ii.   create IPA users to correspond to windows users
iii.  reset the user's IPA password to a known password using the web
interface, the user will be prompted to change at first log in. (is
there a default password or is this random? sorry if that's somewhere
else in docs and I missed it)
iv.on the IPA server run `ipa-getkeytab -s [kdc DNS name] -p
host/[machine-name] -e  arcfour-hmac -k krb5.keytab.[machine-name] -P

configure windows ksetup:

i.ksetup /setdomain [REALM NAME]
ii.ksetup /addkdc [REALM NAME] [kdc DNS name]
iii.ksetup /addkpassword [REALM NAME] [kdc DNS name]
iv.ksetup /setcomputerpassword [PASSWORD]
v.ksetup /mapuser * *
vi.   Run gpedit.msc. Under Computer Configuration\Windows
Settings\Security Settings\Local Policies\Security Options open the
key called “Network Security: Configure encryption types allowed for
Kerberos” unselect everything except RC4_HMAC_MD5
vii.*** REBOOT ***
viii. log in as [user]@[REALM] with the initial password, you will be
prompted to change the password then logged in.

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] Windows client logon

2011-09-16 Thread Jimmy
I tried that but still cannot successfully log in as a IPA user. The same
system can be configured as a Kerberos client(non-IPA) defined in  MIT
Kerberos, and authenticate against MIT Kerberos. The system  uses AES when
authenticating to MIT Kerberos so those are the only encryption types I
defined manually. In the network trace for this transaction I see the error
KRB_AP_ERR_BAD_INTEGRITY (31)

Commands used(different iterations):
ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -k krb5.keytab
-P[entering into the main keytab /etc/krb5.keytab]
ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -k
krb5.keytab.sys1 -P   [entering into a new keytab krb5.keytab.sys1]
ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e
aes256-cts-hmac-sha1-96 -k krb5.keytab -P
ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e
aes128-cts-hmac-sha1-96 -k krb5.keytab -P
ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e
aes256-cts-hmac-sha1-96 -k krb5.keytab.sys1 -P
ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e
aes128-cts-hmac-sha1-96 -k krb5.keytab.sys1 -P

Log entries:
Sep 15 21:21:04 csp-idm.pdh.csp krb5kdc[1227](info): AS_REQ (7 etypes {18 17
23 3 1 24 -135}) 192.168.201.9: NEEDED_PREAUTH: o...@pdh.csp for
krbtgt/pdh@pdh.csp, Additional pre-authentication required
Sep 15 21:21:04 csp-idm.pdh.csp krb5kdc[1227](info): preauth (timestamp)
verify failure: Decrypt integrity check failed
Sep 15 21:21:04 csp-idm.pdh.csp krb5kdc[1227](info): AS_REQ (7 etypes {18 17
23 3 1 24 -135}) 192.168.201.9: PREAUTH_FAILED: o...@pdh.csp for
krbtgt/pdh@pdh.csp, Decrypt integrity check failed
Sep 15 21:21:04 csp-idm.pdh.csp krb5kdc[1227](info): preauth (timestamp)
verify failure: Decrypt integrity check failed
Sep 15 21:21:04 csp-idm.pdh.csp krb5kdc[1227](info): AS_REQ (7 etypes {18 17
23 3 1 24 -135}) 192.168.201.9: PREAUTH_FAILED: o...@pdh.csp for
krbtgt/pdh@pdh.csp, Decrypt integrity check failed
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Windows client logon

2011-09-16 Thread Simo Sorce
On Fri, 2011-09-16 at 09:31 -0400, Jimmy wrote:
 ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -k
 krb5.keytab
 -P[entering into the main keytab /etc/krb5.keytab]
 ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -k
 krb5.keytab.sys1 -P   [entering into a new keytab krb5.keytab.sys1]
 ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e
 aes256-cts-hmac-sha1-96 -k krb5.keytab -P
 ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e
 aes128-cts-hmac-sha1-96 -k krb5.keytab -P
 ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e
 aes256-cts-hmac-sha1-96 -k krb5.keytab.sys1 -P
 ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e
 aes128-cts-hmac-sha1-96 -k krb5.keytab.sys1 -P
 

This is not how it works.
You must define all types in one single go.
Every time you invoke ipa-getkeytab for a principal you are discarding
any previous key in the KDC, and only the last one is available.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] Windows client logon

2011-09-16 Thread Jimmy
When I do not specify the encryption type it does put them all in in a
single go. I just was attempting to eliminate the other types in case that
was creating a problem. The system defaults to type x18
(aes256-cts-hmac-sha1-96). Thanks for your help on this.

[root@csp-idm etc]# klist -kte krb5.keytab.sys1
Keytab name: WRFILE:krb5.keytab.sys1
KVNO Timestamp Principal
 -

6 09/16/11 13:40:03 host/ews1-cybsec.pdh@pdh.csp(aes256-cts-hmac-sha1-96)
6 09/16/11 13:40:03 host/ews1-cybsec.pdh@pdh.csp(aes128-cts-hmac-sha1-96)
6 09/16/11 13:40:04 host/ews1-cybsec.pdh@pdh.csp (des3-cbc-sha1)
6 09/16/11 13:40:04 host/ews1-cybsec.pdh@pdh.csp (arcfour-hmac)


On Fri, Sep 16, 2011 at 9:35 AM, Simo Sorce s...@redhat.com wrote:

 On Fri, 2011-09-16 at 09:31 -0400, Jimmy wrote:
  ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -k
  krb5.keytab
  -P[entering into the main keytab /etc/krb5.keytab]
  ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -k
  krb5.keytab.sys1 -P   [entering into a new keytab krb5.keytab.sys1]
  ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e
  aes256-cts-hmac-sha1-96 -k krb5.keytab -P
  ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e
  aes128-cts-hmac-sha1-96 -k krb5.keytab -P
  ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e
  aes256-cts-hmac-sha1-96 -k krb5.keytab.sys1 -P
  ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e
  aes128-cts-hmac-sha1-96 -k krb5.keytab.sys1 -P
 

 This is not how it works.
 You must define all types in one single go.
 Every time you invoke ipa-getkeytab for a principal you are discarding
 any previous key in the KDC, and only the last one is available.

 Simo.

 --
 Simo Sorce * Red Hat, Inc * New York


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Windows client logon

2011-09-16 Thread Jimmy
This was installed using yum. I need to be able to authenticate users
against Kerberos from a Windows client machine and it fails at login saying
the username/password is incorrect. The krb5kdc.log shows:

Sep 16 20:53:32 csp-idm.pdh.csp krb5kdc[1227](info): AS_REQ (7 etypes {18 17
23 3 1 24 -135}) 192.168.201.9: NEEDED_PREAUTH: o...@pdh.csp for
krbtgt/pdh@pdh.csp, Additional pre-authentication required
Sep 16 20:53:32 csp-idm.pdh.csp krb5kdc[1227](info): preauth (timestamp)
verify failure: Decrypt integrity check failed
Sep 16 20:53:32 csp-idm.pdh.csp krb5kdc[1227](info): AS_REQ (7 etypes {18 17
23 3 1 24 -135}) 192.168.201.9: PREAUTH_FAILED: o...@pdh.csp for
krbtgt/pdh@pdh.csp, Decrypt integrity check failed
Sep 16 20:53:32 csp-idm.pdh.csp krb5kdc[1227](info): preauth (timestamp)
verify failure: Decrypt integrity check failed
Sep 16 20:53:32 csp-idm.pdh.csp krb5kdc[1227](info): AS_REQ (7 etypes {18 17
23 3 1 24 -135}) 192.168.201.9: PREAUTH_FAILED: o...@pdh.csp for
krbtgt/pdh@pdh.csp, Decrypt integrity check failed

I know the user's password I'm using is correct because I can kinit with
that username/password on the IPA server. I used the ipa-getkeytab to set
the machine password, but I'm not sure that it's doing what I would normally
do in a stand alone MIT Kerberos server using kadmin. Using ksetup on the
windows7 client I can reconfigure for a couple different realms and
authentication works just fine, but I'm missing something on the IPA config
that would allow the same authentication.
Thanks,Jimmy
On Fri, Sep 16, 2011 at 4:45 PM, Dmitri Pal d...@redhat.com wrote:

  On 09/16/2011 02:26 PM, Jimmy wrote:

 I can create a keytab using ipa-getkeytab for any entity, say for instance
 a user, and store a password in the keytab but as soon as the user attempts
 to kinit with the set password it expires and must be changed. Is this
 happening with the host(workstation) entities?


 Are you using latest hand built IPA from the master?
 There is a bug about passwords being expired.
 A more stable version is available from Fedora if you are using Fedora or
 from 2.1 branch.


 On Fri, Sep 16, 2011 at 9:44 AM, Jimmy g17ji...@gmail.com wrote:

 When I do not specify the encryption type it does put them all in in a
 single go. I just was attempting to eliminate the other types in case that
 was creating a problem. The system defaults to type x18
 (aes256-cts-hmac-sha1-96). Thanks for your help on this.

  [root@csp-idm etc]# klist -kte krb5.keytab.sys1
 Keytab name: WRFILE:krb5.keytab.sys1
 KVNO Timestamp Principal
  -
 
 6 09/16/11 13:40:03 host/ews1-cybsec.pdh@pdh.csp(aes256-cts-hmac-sha1-96)
 6 09/16/11 13:40:03 host/ews1-cybsec.pdh@pdh.csp(aes128-cts-hmac-sha1-96)
 6 09/16/11 13:40:04 host/ews1-cybsec.pdh@pdh.csp (des3-cbc-sha1)
 6 09/16/11 13:40:04 host/ews1-cybsec.pdh@pdh.csp (arcfour-hmac)


 On Fri, Sep 16, 2011 at 9:35 AM, Simo Sorce s...@redhat.com wrote:

 On Fri, 2011-09-16 at 09:31 -0400, Jimmy wrote:
  ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -k
  krb5.keytab
  -P[entering into the main keytab /etc/krb5.keytab]
  ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -k
  krb5.keytab.sys1 -P   [entering into a new keytab krb5.keytab.sys1]
  ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e
  aes256-cts-hmac-sha1-96 -k krb5.keytab -P
  ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e
  aes128-cts-hmac-sha1-96 -k krb5.keytab -P
  ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e
  aes256-cts-hmac-sha1-96 -k krb5.keytab.sys1 -P
  ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e
  aes128-cts-hmac-sha1-96 -k krb5.keytab.sys1 -P
 

  This is not how it works.
 You must define all types in one single go.
 Every time you invoke ipa-getkeytab for a principal you are discarding
 any previous key in the KDC, and only the last one is available.

 Simo.

 --
 Simo Sorce * Red Hat, Inc * New York



 ___
 Freeipa-users mailing 
 listFreeipa-users@redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users



 --
 Thank you,
 Dmitri Pal

 Sr. Engineering Manager IPA project,
 Red Hat Inc.


 ---
 Looking to carve out IT costs?www.redhat.com/carveoutcosts/


 ___
 Freeipa-users mailing list
 Freeipa-users@redhat.com
 https://www.redhat.com/mailman/listinfo/freeipa-users

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Windows client logon

2011-09-16 Thread Simo Sorce
On Fri, 2011-09-16 at 17:24 -0400, Jimmy wrote:
 This was installed using yum. I need to be able to authenticate users
 against Kerberos from a Windows client machine and it fails at login
 saying the username/password is incorrect. The krb5kdc.log shows:
 
 
 
 Sep 16 20:53:32 csp-idm.pdh.csp krb5kdc[1227](info): AS_REQ (7 etypes
 {18 17 23 3 1 24 -135}) 192.168.201.9: NEEDED_PREAUTH: o...@pdh.csp
 for krbtgt/pdh@pdh.csp, Additional pre-authentication required
 Sep 16 20:53:32 csp-idm.pdh.csp krb5kdc[1227](info): preauth
 (timestamp) verify failure: Decrypt integrity check failed
 Sep 16 20:53:32 csp-idm.pdh.csp krb5kdc[1227](info): AS_REQ (7 etypes
 {18 17 23 3 1 24 -135}) 192.168.201.9: PREAUTH_FAILED: o...@pdh.csp
 for krbtgt/pdh@pdh.csp, Decrypt integrity check failed
 Sep 16 20:53:32 csp-idm.pdh.csp krb5kdc[1227](info): preauth
 (timestamp) verify failure: Decrypt integrity check failed
 Sep 16 20:53:32 csp-idm.pdh.csp krb5kdc[1227](info): AS_REQ (7 etypes
 {18 17 23 3 1 24 -135}) 192.168.201.9: PREAUTH_FAILED: o...@pdh.csp
 for krbtgt/pdh@pdh.csp, Decrypt integrity check failed


These logs say that either the password is wrong, or the clock on your
windows client is way off (more than 5 min. skew) wrt the ipa server.
 
 I know the user's password I'm using is correct because I can kinit
 with that username/password on the IPA server. I used the
 ipa-getkeytab to set the machine password, but I'm not sure that it's
 doing what I would normally do in a stand alone MIT Kerberos server
 using kadmin. Using ksetup on the windows7 client I can reconfigure
 for a couple different realms and authentication works just fine, but
 I'm missing something on the IPA config that would allow the same
 authentication. 

The reason to have a password (windows) or a keytab (unix) for the
machine is to be able to validate the account against a possible rouge
KDC+attacker at login prompt pair.

But you are not even getting to the validation step as you are failing
to get a TGT for the user in the first place.

If the user password is right and your Freeipa REALM name is indeed
PDH.CSP then it is probably clock skew.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] Windows client logon

2011-09-15 Thread Jimmy
I'm still working on this... I was reading this post in the archives:
http://www.mail-archive.com/freeipa-users@redhat.com/msg02049.html Dmitri's
statement There might be some MIT documentation about how to join a Windows
machine to MIT KDC. If this can be done I am sure the same can be done with
IPA. should be true, but for the windows system to use authentication I
have to be able to set the host password in Kerberos. There doesn't seem to
be a way to do that in the FreeIPA interface. I would normally do that in
kadmin if working directly in kerberos, but that's not possible either.

*IS* there a way to set the host password so that machines can provide user
authentication for a windows client?
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Windows client logon

2011-09-15 Thread Simo Sorce
On Thu, 2011-09-15 at 17:51 -0400, Jimmy wrote:
 I'm still working on this... I was reading this post in the archives:
 http://www.mail-archive.com/freeipa-users@redhat.com/msg02049.html
 Dmitri's statement There might be some MIT documentation about how to
 join a Windows machine to MIT KDC. If this can be done I am sure the
 same can be done with IPA. should be true, but for the windows system
 to use authentication I have to be able to set the host password in
 Kerberos. There doesn't seem to be a way to do that in the FreeIPA
 interface. I would normally do that in kadmin if working directly in
 kerberos, but that's not possible either. 
 
 
 *IS* there a way to set the host password so that machines can provide
 user authentication for a windows client?
 
Use ipa-getkeytab with the -P option to specify a 'password' to use to
generate the keys instead of letting it generate a random password.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] Windows client logon

2011-09-14 Thread Jimmy
Just curious about this, the guide that we both refer to provides
instructions for a windows client authentication but this page indicates
that FreeIPA doesn't support windows clients:

http://elladeon.fedorapeople.org/ipa/guide/Using_Microsoft_Windows.html

Which is correct?

On Tue, Sep 13, 2011 at 4:08 PM, Rob Crittenden rcrit...@redhat.com wrote:

 Jimmy wrote:

 I'm setting up a WinXP system to authenticate to FreeIPA. I followed the
 directions listed here:

 http://freeipa.org/page/Implementing_FreeIPA_in_a_mixed_Environment_%28Windows/Linux%29_-_Step_by_step

 I created the host account in FreeIPA, and the user, and I do get
 prompted to change the initial password(and it seems to work,) but as
 soon as the password is changed(or subsequent login attempts) I get the
 log in message
 the system cannot log you on now because the domain is not available


 The guide says this happens when you don't log in using the principal name,
 are you using that?

 rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Windows client logon

2011-09-14 Thread Rob Crittenden

Jimmy wrote:

Just curious about this, the guide that we both refer to provides
instructions for a windows client authentication but this page indicates
that FreeIPA doesn't support windows clients:

http://elladeon.fedorapeople.org/ipa/guide/Using_Microsoft_Windows.html

Which is correct?


The guide you referred to was contributed by another FreeIPA user 
showing one way to get Windows login working. It does this by mapping 
all IPA users to a single windows user (ipauser).


This is not practical for most installations so we don't recommend it.

The roadmap for the next major release of FreeIPA adds AD trust so the 
IPA realm can be trusted as part of an AD forest.


rob



On Tue, Sep 13, 2011 at 4:08 PM, Rob Crittenden rcrit...@redhat.com
mailto:rcrit...@redhat.com wrote:

Jimmy wrote:

I'm setting up a WinXP system to authenticate to FreeIPA. I
followed the
directions listed here:

http://freeipa.org/page/Implementing_FreeIPA_in_a_mixed_Environment_%28Windows/Linux%29_-_Step_by_step

I created the host account in FreeIPA, and the user, and I do get
prompted to change the initial password(and it seems to work,)
but as
soon as the password is changed(or subsequent login attempts) I
get the
log in message
the system cannot log you on now because the domain is not
available


The guide says this happens when you don't log in using the
principal name, are you using that?

rob




___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users


Re: [Freeipa-users] Windows client logon

2011-09-14 Thread Jimmy
One thing that doesn't quite make sense about the windows config
instructions, we make a keytab, but there is no indication as to where the
keytab goes. I wouldn't think the IPA server would need the keytab as the
password is stored in the IPA server already.

On Wed, Sep 14, 2011 at 10:07 AM, Rob Crittenden rcrit...@redhat.comwrote:

 Jimmy wrote:

 Just curious about this, the guide that we both refer to provides
 instructions for a windows client authentication but this page indicates
 that FreeIPA doesn't support windows clients:

 http://elladeon.fedorapeople.org/ipa/guide/Using_Microsoft_Windows.html

 Which is correct?


 The guide you referred to was contributed by another FreeIPA user showing
 one way to get Windows login working. It does this by mapping all IPA users
 to a single windows user (ipauser).

 This is not practical for most installations so we don't recommend it.

 The roadmap for the next major release of FreeIPA adds AD trust so the IPA
 realm can be trusted as part of an AD forest.

 rob


 On Tue, Sep 13, 2011 at 4:08 PM, Rob Crittenden rcrit...@redhat.com
 mailto:rcrit...@redhat.com wrote:

Jimmy wrote:

I'm setting up a WinXP system to authenticate to FreeIPA. I
followed the
directions listed here:

 http://freeipa.org/page/Implementing_FreeIPA_in_a_mixed_Environment_%28Windows/Linux%29_-_Step_by_step

I created the host account in FreeIPA, and the user, and I do get
prompted to change the initial password(and it seems to work,)
but as
soon as the password is changed(or subsequent login attempts) I
get the
log in message
the system cannot log you on now because the domain is not
available


The guide says this happens when you don't log in using the
principal name, are you using that?

rob




___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Windows client logon

2011-09-13 Thread Rob Crittenden

Jimmy wrote:

I'm setting up a WinXP system to authenticate to FreeIPA. I followed the
directions listed here:
http://freeipa.org/page/Implementing_FreeIPA_in_a_mixed_Environment_%28Windows/Linux%29_-_Step_by_step

I created the host account in FreeIPA, and the user, and I do get
prompted to change the initial password(and it seems to work,) but as
soon as the password is changed(or subsequent login attempts) I get the
log in message
the system cannot log you on now because the domain is not available



The guide says this happens when you don't log in using the principal 
name, are you using that?


rob

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users