[Freeipa-users] Windows Kerberos auth to IPA
Johan Venter
mythtv at vulturest.com
Fri Oct 10 05:33:01 UTC 2008
Johan Venter wrote:
> Simo Sorce wrote:
>> The latest ipa-getkeytab should allow you to specify a password.
> How would I go about getting this latest version (can I just update the
> one executable or do I have to find a way to update the whole of IPA?)
> onto a server so I can use ipa-getkeytab to give a host principal a
> password?
Ok, so I got recent source for ipa-getkeytab.c from Trac and
incorporated that into my RPM build. I read through the source and
didn't see that it required any special dependencies.
I used ipa-getkeytab like this to set the password for the host
principal of the Windows machine:
# ipa-getkeytab -s kdc.example.local -p host/windowshost.example.local
-k keys.txt -P
and set the password to 'password'.
On the Windows machine I issued:
ksetup /setdomain EXAMPLE.LOCAL
ksetup /addkdc EXAMPLE.LOCAL kdc.example.local
ksetup /setcomputerpassword password
ksetup /mapuser * Administrator
Rebooted the Windows machine and tried to login with a Keberos user. In
the /var/log/krb5kdc.log on the IPA server I see:
Oct 10 15:18:09 kdc.example.local krb5kdc[26526](info): AS_REQ (7 etypes
{23 -133 -128 3 1 24 -135}) 172.17.16.16: NEEDED_PREAUTH:
testuser at EXAMPLE.LOCAL for krbtgt/EXAMPLE.LOCAL at EXAMPLE.LOCAL,
Additional pre-authentication required
Oct 10 15:18:09 kdc.example.local krb5kdc[26526](info): AS_REQ (7 etypes
{23 -133 -128 3 1 24 -135}) 172.17.16.16: NEEDED_PREAUTH:
testuser at EXAMPLE.LOCAL for krbtgt/EXAMPLE.LOCAL at EXAMPLE.LOCAL,
Additional pre-authentication required
Oct 10 15:18:09 kdc.example.local krb5kdc[26526](info): AS_REQ (3 etypes
{23 3 1}) 172.17.16.16: ISSUE: authtime 1223615889, etypes {rep=23
tkt=18 ses=23}, testuser at EXAMPLE.LOCAL for
krbtgt/EXAMPLE.LOCAL at EXAMPLE.LOCAL
Oct 10 15:18:09 kdc.example.local krb5kdc[26526](info): AS_REQ (3 etypes
{23 3 1}) 172.17.16.16: ISSUE: authtime 1223615889, etypes {rep=23
tkt=18 ses=23}, testuser at EXAMPLE.LOCAL for
krbtgt/EXAMPLE.LOCAL at EXAMPLE.LOCAL
Oct 10 15:18:09 kdc.example.local krb5kdc[26526](info): TGS_REQ (5
etypes {23 3 1 24 -135}) 172.17.16.16: ISSUE: authtime 1223615889,
etypes {rep=23 tkt=18 ses=23}, testuser at EXAMPLE.LOCAL for
host/windowshost.example.local at EXAMPLE.LOCAL
Oct 10 15:18:09 kdc.example.local krb5kdc[26526](info): TGS_REQ (5
etypes {23 3 1 24 -135}) 172.17.16.16: ISSUE: authtime 1223615889,
etypes {rep=23 tkt=18 ses=23}, testuser at EXAMPLE.LOCAL for
host/windowshost.example.local at EXAMPLE.LOCAL
Which all looks good to me (obviously I'm not using example.local and
EXAMPLE.LOCAL, but I've modified the log output to protect my client),
but it refuses to log in. Windows reports "The system could not log you
on. Make sure your User name and domain are correct, then type your
password again. Letters in passwords must be typed using the correct case."
I have:
- checked that forward and reverse DNS is correct for all involved
- changed the user password a dozen times
- tried various different user mappings with ksetup
- ensured the Windows time is correct (NTP'ing to IPA server)
Please help me to get this to work, it's driving me nuts - there's no
errors anywhere and as far as I can see the Windows host is getting
issued the appropriate tickets.
Thanks,
Johan.
More information about the Freeipa-users
mailing list