[Freeipa-users] Windows XP client can't login - Solved partially

Simo Sorce ssorce at redhat.com
Wed Nov 26 15:09:02 UTC 2008


On Tue, 2008-11-25 at 12:14 +0300, Konstantin Kozlov wrote:
> Kozlov wrote:
> > Simo Sorce пишет:
> >> On Mon, 2008-11-24 at 14:44 +0300, Konstantin Kozlov wrote:
> >>> Hello,
> >>>
> >>> I had not got any reply on the last post in
> >>> https://www.redhat.com/archives/freeipa-users/2008-November/msg00004.html 
> >>>
> >>> so I start a new thread with more precise title.
> >>>
> >>> I have ipaserver 1.2 on Fedora 9 and ipaclient on CentOS 5 with 
> >>> recompiled rpms from RHEL. I want to let an ipauser to login to 
> >>> Windows XP box.
> >>>
> >>> Did anybody succeed in such a challenge?
> >>>
> >>> I have the host principal, I've set up the Kerberos on WinXP with
> >>> ksetup, and got the key into krb5.keytab on ipaserver with password 
> >>> and enctype des-cbc-crc. But WinXP can't log the ipauser in.
> >>>
> >>> I've tried rc4-hmac but it made no difference. I have a question
> >>> concerning this - rc4-hmac is not listed neither in kdc.conf nor in ldap
> >>> as supported enctype but ipa-getkeytab didn't show an error when I tried
> >>> to use this enctype. Should I add rc4-hmac in kdc.conf or ldap entry or
> >>> it is irrelevant as WinXP is also said to support des-cbc-crc?
> >>>
> >>> Thank you,
> >>
> >> I assume you also installed a GINA dll that can use the kerberos
> >> libraris to perform a login ?
> > 
> > At what place GINA come to the scene?
> > 
> > Following the steps from another thread I've ran
> > 
> > ksetup /setdomain ...
> > ksetup /addkdc ...
> > ksetup /setcomputerpassword ...
> > ksetup /mapuser ...
> > 
> > And WinXP asks for the login to Realm, kdc issues the ticket but WinXP 
> > doesn't accept the password. I've mapped the ipauser to winxpuser, not 
> > all to Administrator as in 
> > https://www.redhat.com/archives/freeipa-users/2008-October/msg00006.html. 
> > Can it be a problem?
> > 
> 
> This was a problem :) I've mapped issued
> ksetup /mapuser * User
> and login now works.
> 
> klist shows tickets and tgt now.
> 
> But I can't access the samba share and ipa webui.
> 
> When I try to access samba share I get
> 
> Nov 25 11:40:32 hedgehog.bio.spbcas.ru krb5kdc[30198](info): TGS_REQ (7 
> etypes {23 -133 -128 3 1 24 -135}) 10.10.1.201: UNKNOWN_SERVER: authtime 
> 1227602267,  kkozlov at BIO.SPBCAS.RU for cifs/hedgehog at BIO.SPBCAS.RU, 
> Server not found in Kerberos database

You need to get a keytab for samba using the principal:
cifs/hedgehog at BIO.SPBCAS.RU, then you need to tell samba to use that
keytab.

> in krb5kdc.log on ipaserver
> 
> and when I try webui (from Firefox  3.0.4 on WinXP after setting it up 
> like on Linux with certificates and negotiation)
> 
> Nov 25 12:04:57 hedgehog.bio.spbcas.ru krb5kdc[30198](info): TGS_REQ (7 
> etypes {23 -133 -128 3 1 24 -135}) 10.10.1.201: ISSUE: authtime 
> 1227602267, etypes {rep=23 tkt=18 ses=23}, kkozlov at BIO.SPBCAS.RU for 
> HTTP/hedgehog.bio.spbcas.ru at BIO.SPBCAS.RU

You need to check if WinXP gets a forwardable ticket by default.
check it with klist -f

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York




More information about the Freeipa-users mailing list