[Freeipa-users] Windows Client Problem
Kozlov
mackoel at gmail.com
Sat Jan 3 18:35:57 UTC 2009
Hi,
Puzzling...
Did you try to put ipaserver and winxp box in /etc/hosts on both client
and server?
can you kinit from winxp?
Best regards,
Kostya
Viji V Nair пишет:
> Hi,
>
> I did the same, still having the same problem. I know that samba is
> not needed for windowsxp to authenticate to freeIPA, as I said
> kerberos was not working for me (still trying on it with fresh windows
> client installation), so I have done a try with samba (removed samba
> and did a fresh IPA installation). Here are the exact steps I have
> followed.
>
> On the IPA Server.
>
> 1. Added host principal and set the password for the xp client
>
> # ipa-addservice host/bmdata01.testing.com <http://bmdata01.testing.com>
> # ipa-getkeytab -s viji.testing.com <http://viji.testing.com> -p
> host/bmdata01.testing.com <http://bmdata01.testing.com> -e des-cbc-crc
> -k krb5.keytab.txt -P (asked for the password)
>
> 2. On the Client (Windows XP)
>
> a. Installed MIT kerberos windows client
>
> b. Created a user called ipauser
>
> c. Configured kerberos
>
> C:> ksetup /setrealm TESTING.COM <http://TESTING.COM>
> C:> ksetup /addkdc TESTING.COM <http://TESTING.COM> viji.testing.com
> <http://viji.testing.com>
> C:> ksetup /setmachpassword <password>
> C:> ksetup /mapuser * ipauser
>
> d. Rebooted the machine, after the reboot windows is showing
> "TESTING.COM <http://TESTING.COM> (Kerberos Realm)" in the login
> screen, but when I enter a valid ipa user name it is throwing the
> following error.
>
> "The system could not log you on. Make sure your user name and
> domain are correct, and then type your password again. Letters in
> passwords must be typed using the correct case."
>
> But the kerberos server issuing the tickets, I could see this in
> logs. Dont know what happened, hope I did something wrong, but not
> getting what went wrong and where. Your suggestions are greatly
> appreciated.
>
> Thanks
> Viji
>
>
>
> On Fri, Jan 2, 2009 at 12:05 AM, Kozlov <mackoel at gmail.com
> <mailto:mackoel at gmail.com>> wrote:
>
> Hi,
>
> I know this document and had set up samba3 that way.
>
> The problem is samba3 can't use kerberos from winxp. No way for now.
>
> Samba4 is in alpha stage, it uses ADS schema in LDAP and can't
> work with FreeIPA.
>
> Samba is not needed for winxp to authenticate in freeipa.
>
> So if you need to authenticate winxp users in freeipa try to
> follow the steps for setting up kerberos on winxp.
>
> Did you try the ipa-getkeytab with -e and -P?
>
> winxp needs that enctype and password to work with freeipa. And it
> worked for me and some people on this list.
>
>
> Best regards,
>
> Kostya
>
> Viji V Nair пишет:
>
> Hi,
>
> Yes, my goal is to setup an Active Directory substitution, but
> not looking for a complete AD replacement. I really don't want
> to use windows active directory. In my organization around 60%
> of the users are using Linux as their desktop, remaining 40%
> is on windows XP SP3.
>
> I want to setup single sign on using free IPA, I found the
> attached document on the internet, so I tried to setup samba
> as a client to freeIPA and autheticate windows clients to
> samba and samba to freeIPA. (I tried this because I was
> struggling with windows to authenticate to the kerberos)
>
> Please have a look at the attached document, I will try your
> suggestions and post the results.
>
> Wishing you all a Happy and peaceful NEW YEAR.
>
> Thanks & Regards
> Viji
>
> On Wed, Dec 31, 2008 at 9:22 PM, Kozlov <mackoel at gmail.com
> <mailto:mackoel at gmail.com> <mailto:mackoel at gmail.com
> <mailto:mackoel at gmail.com>>> wrote:
>
> Hi,
>
> I saw your posts on samba list :)
> Is your goal to make the Active Directory substitution?
>
> Samba3 + FreeIPA won't work that way. Look for explanations on
> freeipa-users list. You either need Samba4 or no kerberos
> on Windows.
>
> However, samba3 can be used with FreeIPA as File Sharing
> solution
> and will use Single Sign On when you'll managed to setup
> winxp for
> IPA.
>
>
> Best regards and Happy New Year!
>
> Kostya
>
> Viji V Nair пишет:
> > Hi,
> >
> > I have setup samba as a PDC with kerberos and ldap. While
> adding
> the windows
> > clients I get the following error message on the logs, and
> windows says the
> > user name and password is incorrect
> >
> > [2008/12/31 19:00:09, 0] lib/util_sock.c:write_data(1059)
> > [2008/12/31 19:00:09, 0]
> lib/util_sock.c:get_peer_addr_internal(1607)
> > getpeername failed. Error was Transport endpoint is not
> connected
> > write_data: write failure in writing to client 0.0.0.0.
> Error
> Connection
> > reset by peer
> > [2008/12/31 19:00:09, 0] smbd/process.c:srv_send_smb(74)
> > Error writing 4 bytes to client. -1. (Transport endpoint is
> not connected)
> >
> > Any help on the same will be gratly appreciated.
> >
> > # rpm -qa |grep samba
> > samba-client-3.2.5-0.23.fc10.x86_64
> > samba-common-3.2.5-0.23.fc10.x86_64
> > samba-3.2.5-0.23.fc10.x86_64
> > samba-winbind-3.2.5-0.23.fc10.x86_64
> >
> > # uname -a
> > Linux viji.testing.com <http://viji.testing.com>
> <http://viji.testing.com>
>
> 2.6.27.7-134.fc10.x86_64 #1 SMP Mon Dec 1 22:21:35
> > EST 2008 x86_64 x86_64 x86_64 GNU/Linux
> >
> > # cat /etc/samba/smb.conf
> > [global]
> > workgroup = TESTING.COM
> <http://TESTING.COM> <http://TESTING.COM>
>
> > server string = Samba Server Version %v
> > security = user
> > passdb backend = smbpasswd
> > socket options = TCP_NODELAY SO_RCVBUF=8192
> SO_SNDBUF=8192
> > os level = 33
> > domain logons = yes
> > domain master = yes
> > local master = yes
> > preferred master = yes
> > wins support = yes
> > template shell = /bin/false
> > realm = TESTING.COM
> <http://TESTING.COM> <http://TESTING.COM>
>
> > use kerberos keytab = yes
> > load printers = yes
> > cups options = raw
> > # log level = 3 passdb:5 auth:10
> > [homes]
> > comment = Home Directories
> > browseable = no
> > writable = yes
> > [printers]
> > comment = All Printers
> > path = /var/spool/samba
> > browseable = no
> > guest ok = no
> > writable = no
> > printable = yes
> > [share]
> > comment = Share
> > path = /share
> > browseable = yes
> > guest ok = no
> > writable = yes
> > valid users = admin
> >
> > Thanks
> > Viji
>
>
>
> Viji V Nair пишет:
>
> Hi,
>
> I have done the modifications as suggested, but no luck,
> getting the same error.
>
> # kinit admin
> # ipa-addservice host/bmdata01.testing.com
> <http://bmdata01.testing.com>
> <http://bmdata01.testing.com>
> <http://bmdata01.testing.com>
>
> # ipa-getkeytab -s viji.testing.com
> <http://viji.testing.com> <http://viji.testing.com>
> <http://viji.testing.com> -p host/bmdata01.testing.com
> <http://bmdata01.testing.com>
> <http://bmdata01.testing.com>
> <http://bmdata01.testing.com> -k
>
> /etc/krb5.keytab
>
>
> Could you please elaborate the steps which you have done to
> get it working on both the client and server side?
>
> Thanks
> Viji
>
> On Tue, Dec 30, 2008 at 11:46 PM, Kozlov
> <mackoel at gmail.com <mailto:mackoel at gmail.com>
> <mailto:mackoel at gmail.com <mailto:mackoel at gmail.com>>
> <mailto:mackoel at gmail.com <mailto:mackoel at gmail.com>
>
> <mailto:mackoel at gmail.com <mailto:mackoel at gmail.com>>>>
> wrote:
>
> Hi,
>
> The minor comment is that kadmin is supposed to be
> substituted with
> ipa-addservice.
>
> The major comment is that you've missed ipa-getkeytab on
> ipaserver
> that actually SETS password that you then install on
> winxp.
>
> And try to map all users to one: for example,
> "* Administrator".
>
> Best regards,
>
> Kostya
>
> Viji V Nair пишет:
>
> Hi,
>
> Thank you for the information, I have tried all
> these
> steps, but
> no success
>
> 1. On the IPA Server I have created a host principal
> using the
> following command.
>
> # kadmin -q "ank host/bmdata01.testing.com
> <http://bmdata01.testing.com>
> <http://bmdata01.testing.com>
> <http://bmdata01.testing.com>
> <http://bmdata01.testing.com>"
>
>
>
> 2. On the windows xp client
>
> C:> ksetup /setrealm TESTING.COM
> <http://TESTING.COM> <http://TESTING.COM>
> <http://TESTING.COM>
> <http://TESTING.COM>
> C:> ksetup /addkdc TESTING.COM
> <http://TESTING.COM> <http://TESTING.COM>
> <http://TESTING.COM>
> <http://TESTING.COM> viji.bigmaps.com
> <http://viji.bigmaps.com>
> <http://viji.bigmaps.com> <http://viji.bigmaps.com>
> <http://viji.bigmaps.com>
> C:> ksetup /setmachpassword <password>
> C:> ksetup /mapuser admin at TESTING.COM
> <mailto:admin at TESTING.COM>
> <mailto:admin at TESTING.COM <mailto:admin at TESTING.COM>>
> <mailto:admin at TESTING.COM <mailto:admin at TESTING.COM>
> <mailto:admin at TESTING.COM <mailto:admin at TESTING.COM>>>
> <mailto:admin at TESTING.COM
> <mailto:admin at TESTING.COM> <mailto:admin at TESTING.COM
> <mailto:admin at TESTING.COM>>
> <mailto:admin at TESTING.COM <mailto:admin at TESTING.COM>
> <mailto:admin at TESTING.COM <mailto:admin at TESTING.COM>>>> guest
>
> C:> ksetup /mapuser * *
>
> After the above setup windows is showing
> TESTING.COM <http://TESTING.COM>
> <http://TESTING.COM>
> <http://TESTING.COM> <http://TESTING.COM> as a
> Kerberos
> Realm on
>
> the login screen, but when I try to login using the
> user name
> "admin" it is throwing the following error.
>
>
> "The system could not log you on. Make sure your
> user
> name and
> domain are correct, and then type your password
> again.
> Letters
> in passwords must be typed using the correct case."
>
> But the IPA (kerberos) server is issuing the
> tickets,
> the log shows:
>
> Dec 30 22:36:03 viji.testing.com
> <http://viji.testing.com>
> <http://viji.testing.com> <http://viji.testing.com>
> <http://viji.testing.com> krb5kdc[5179](info):
> AS_REQ
> (7 etypes
> {23 -133 -128 3 1 24 -135}) 172.16.33.112
> <http://172.16.33.112>: NEEDED_PREAUTH:
> admin at TESTING.COM <mailto:admin at TESTING.COM>
> <mailto:admin at TESTING.COM <mailto:admin at TESTING.COM>>
> <mailto:admin at TESTING.COM
> <mailto:admin at TESTING.COM> <mailto:admin at TESTING.COM
> <mailto:admin at TESTING.COM>>>
> <mailto:admin at TESTING.COM <mailto:admin at TESTING.COM>
> <mailto:admin at TESTING.COM <mailto:admin at TESTING.COM>>
>
> <mailto:admin at TESTING.COM
> <mailto:admin at TESTING.COM> <mailto:admin at TESTING.COM
> <mailto:admin at TESTING.COM>>>>
>
> for krbtgt/TESTING.COM <http://TESTING.COM>
> <http://TESTING.COM>
> <http://TESTING.COM>
> <http://TESTING.COM>@TESTING.COM <http://TESTING.COM>
> <http://TESTING.COM>
> <http://TESTING.COM> <http://TESTING.COM>,
> Additional
>
> pre-authentication required
> Dec 30 22:36:03 viji.testing.com
> <http://viji.testing.com>
> <http://viji.testing.com> <http://viji.testing.com>
> <http://viji.testing.com> krb5kdc[5179](info):
> AS_REQ
> (3 etypes
> {23 3 1}) 172.16.33.112 <http://172.16.33.112>:
> ISSUE:
> authtime
> 1230656763, etypes {rep=23 tkt=18 ses=23},
> admin at TESTING.COM <mailto:admin at TESTING.COM>
> <mailto:admin at TESTING.COM <mailto:admin at TESTING.COM>>
> <mailto:admin at TESTING.COM
> <mailto:admin at TESTING.COM> <mailto:admin at TESTING.COM
> <mailto:admin at TESTING.COM>>>
> <mailto:admin at TESTING.COM <mailto:admin at TESTING.COM>
> <mailto:admin at TESTING.COM <mailto:admin at TESTING.COM>>
>
> <mailto:admin at TESTING.COM
> <mailto:admin at TESTING.COM> <mailto:admin at TESTING.COM
> <mailto:admin at TESTING.COM>>>>
>
> for krbtgt/TESTING.COM <http://TESTING.COM>
> <http://TESTING.COM>
> <http://TESTING.COM>
> <http://TESTING.COM>@TESTING.COM <http://TESTING.COM>
> <http://TESTING.COM>
> <http://TESTING.COM> <http://TESTING.COM>
>
> Dec 30 22:36:03 viji.testing.com
> <http://viji.testing.com>
> <http://viji.testing.com> <http://viji.testing.com>
> <http://viji.testing.com> krb5kdc[5179](info):
> TGS_REQ
> (7 etypes
> {23 -133 -128 3 1 24 -135}) 172.16.33.112
> <http://172.16.33.112>: ISSUE: authtime
> 1230656763, etypes
> {rep=23 tkt=18 ses=23}, admin at TESTING.COM
> <mailto:admin at TESTING.COM>
> <mailto:admin at TESTING.COM <mailto:admin at TESTING.COM>>
> <mailto:admin at TESTING.COM
> <mailto:admin at TESTING.COM> <mailto:admin at TESTING.COM
> <mailto:admin at TESTING.COM>>>
> <mailto:admin at TESTING.COM <mailto:admin at TESTING.COM>
> <mailto:admin at TESTING.COM <mailto:admin at TESTING.COM>>
>
> <mailto:admin at TESTING.COM
> <mailto:admin at TESTING.COM> <mailto:admin at TESTING.COM
> <mailto:admin at TESTING.COM>>>>
>
> for host/bmdata01.testing.com
> <http://bmdata01.testing.com> <http://bmdata01.testing.com>
> <http://bmdata01.testing.com>
> <http://bmdata01.testing.com>@TESTING.COM
> <http://TESTING.COM>
> <http://TESTING.COM> <http://TESTING.COM>
> <http://TESTING.COM>
>
>
> I have found some article on Microsoft website,
> saying
> this is a
> bug and apply the latest service pack (SP3), I even
> tried that,
> but no success.
>
> http://support.microsoft.com/kb/825081
>
> Similar Thread:
>
> http://mailman.mit.edu/pipermail/kerberos/2006-May/009890.html
>
> Thanks & Regards
>
> Viji
>
>
> On Mon, Dec 29, 2008 at 6:35 PM, Konstantin Kozlov
> <kozlov at spbcas.ru <mailto:kozlov at spbcas.ru>
> <mailto:kozlov at spbcas.ru <mailto:kozlov at spbcas.ru>>
> <mailto:kozlov at spbcas.ru <mailto:kozlov at spbcas.ru>
> <mailto:kozlov at spbcas.ru <mailto:kozlov at spbcas.ru>>>
> <mailto:kozlov at spbcas.ru
> <mailto:kozlov at spbcas.ru> <mailto:kozlov at spbcas.ru
> <mailto:kozlov at spbcas.ru>>
> <mailto:kozlov at spbcas.ru <mailto:kozlov at spbcas.ru>
> <mailto:kozlov at spbcas.ru <mailto:kozlov at spbcas.ru>>>>> wrote:
>
> Hi,
>
> You can search the list for a similar thread and
> here are the
> steps
> I've followed with success:
>
> Add host principal for winxp machine with the
> encoding
> des-cbc-crc
> and passowrd (-P ioption for ipa-getkeytab).
> Do not
> store this
> keytab in /etc/krb5.keytab but rather in some
> other
> file.
>
> Install MS Support Tools on WinXP, and run
>
> ksetup /setdomain ...
> ksetup /addkdc ...
> ksetup /setcomputerpassword ...
> ksetup /mapuser * <your user>
>
> WinXP machine asks to login to Kerberos realm at
> login screen.
>
> I failed to map one ipa-user to one win-user.
> But may be
> because I
> didn't have enough time. If you will succeed
> - leave
> a note
> here please.
>
> Best regards,
>
> Kostya
>
> Viji V Nair wrote:
>
> Hi,
>
> I am a new user of free-ipa, I have installed
> the free-ipa
> packages shipped with fedora 10. I have more
> that 100 windows
> clients to authenticate. Here is my problem,
>
> All the clients are XP SP2, I have
> installed MIT
> Kerberos for
> Windows 3.2.2. Always the native windows
> login
> prompt appears
> first, when i login to windows the kerberos
> client is
> asking for
> authentication.
>
> I want to replace this windows authentication
> with kerberos
>
> Any help on the same will be greatly
> appreciated.
>
> Thanks
> Viji
>
>
>
> ------------------------------------------------------------------------
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>
> <mailto:Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>>
> <mailto:Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>
> <mailto:Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>>>
> <mailto:Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>
> <mailto:Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>>
> <mailto:Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>
> <mailto:Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>>>>
>
>
>
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
> -- Konstantin Kozlov
> Department of Computational Biology,
> Center for Advanced Studies,
> SPb State Polytechnical University,
> 195251, Polytechnicheskaya ul., 29,
> bld 4, office 204,
> St.Petersburg, Russia.
>
> Tel./fax: +7 812 596 2831
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>
> <mailto:Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>>
> <mailto:Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>
> <mailto:Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>>>
> <mailto:Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>
> <mailto:Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>>
> <mailto:Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>
> <mailto:Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>>>>
>
>
>
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
>
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>
> <mailto:Freeipa-users at redhat.com
> <mailto:Freeipa-users at redhat.com>>
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
>
>
More information about the Freeipa-users
mailing list