[Freeipa-users] Windows XP client can't login
Kozlov
mackoel at gmail.com
Tue Nov 25 04:55:10 UTC 2008
Simo Sorce пишет:
> On Mon, 2008-11-24 at 14:44 +0300, Konstantin Kozlov wrote:
>> Hello,
>>
>> I had not got any reply on the last post in
>> https://www.redhat.com/archives/freeipa-users/2008-November/msg00004.html
>> so I start a new thread with more precise title.
>>
>> I have ipaserver 1.2 on Fedora 9 and ipaclient on CentOS 5 with
>> recompiled rpms from RHEL. I want to let an ipauser to login to Windows
>> XP box.
>>
>> Did anybody succeed in such a challenge?
>>
>> I have the host principal, I've set up the Kerberos on WinXP with
>> ksetup, and got the key into krb5.keytab on ipaserver with password and
>> enctype des-cbc-crc. But WinXP can't log the ipauser in.
>>
>> I've tried rc4-hmac but it made no difference. I have a question
>> concerning this - rc4-hmac is not listed neither in kdc.conf nor in ldap
>> as supported enctype but ipa-getkeytab didn't show an error when I tried
>> to use this enctype. Should I add rc4-hmac in kdc.conf or ldap entry or
>> it is irrelevant as WinXP is also said to support des-cbc-crc?
>>
>> Thank you,
>
> I assume you also installed a GINA dll that can use the kerberos
> libraris to perform a login ?
At what place GINA come to the scene?
Following the steps from another thread I've ran
ksetup /setdomain ...
ksetup /addkdc ...
ksetup /setcomputerpassword ...
ksetup /mapuser ...
And WinXP asks for the login to Realm, kdc issues the ticket but WinXP
doesn't accept the password. I've mapped the ipauser to winxpuser, not
all to Administrator as in
https://www.redhat.com/archives/freeipa-users/2008-October/msg00006.html.
Can it be a problem?
> Just setting up kerberos is not enough to allow a login.
> At least for test des-cbc-crc shouldn't be a problem. It would be
> certainly better to use something more strong in production , but one
> step at a time :)
>
> For a start, does kinit work at all on the WinXP client ?
>
Yes, 'kinit ipauser' accepts password, but klist doesn't show tickets.
Thanks for the help!
Kostya
More information about the Freeipa-users
mailing list