[Freeipa-users] Windows Client Problem
Viji V Nair
vijivijayakumar at gmail.com
Mon Jan 5 05:42:51 UTC 2009
Hi,
I got it working!!!!!!, I turned off windows firewall, synced all the
servers to a common ntp server!!!, it simply got added.
But, in windows stll we need to create a local user with local privileges to
map the kerberos principle....
I could also see that ipa server alrday have the samba schema in the
directory server, can we follow the below documentation to get it working as
a PDC with IPA backend.
http://directory.fedoraproject.org/wiki/Howto:Samba
Thank you so much for all of your suggestions and support.
Thanks & Reagrds
Viji
On Sun, Jan 4, 2009 at 12:05 AM, Kozlov <mackoel at gmail.com> wrote:
> Hi,
>
> Puzzling...
>
> Did you try to put ipaserver and winxp box in /etc/hosts on both client and
> server?
>
> can you kinit from winxp?
>
> Best regards,
>
> Kostya
>
> Viji V Nair пишет:
>
>> Hi,
>>
>> I did the same, still having the same problem. I know that samba is not
>> needed for windowsxp to authenticate to freeIPA, as I said kerberos was not
>> working for me (still trying on it with fresh windows client installation),
>> so I have done a try with samba (removed samba and did a fresh IPA
>> installation). Here are the exact steps I have followed.
>>
>> On the IPA Server.
>>
>> 1. Added host principal and set the password for the xp client
>>
>> # ipa-addservice host/bmdata01.testing.com <http://bmdata01.testing.com>
>> # ipa-getkeytab -s viji.testing.com <http://viji.testing.com> -p host/
>> bmdata01.testing.com <http://bmdata01.testing.com> -e des-cbc-crc -k
>> krb5.keytab.txt -P (asked for the password)
>>
>> 2. On the Client (Windows XP)
>>
>> a. Installed MIT kerberos windows client
>>
>> b. Created a user called ipauser
>>
>> c. Configured kerberos
>>
>> C:> ksetup /setrealm TESTING.COM <http://TESTING.COM>
>> C:> ksetup /addkdc TESTING.COM <http://TESTING.COM> viji.testing.com <
>> http://viji.testing.com>
>> C:> ksetup /setmachpassword <password>
>> C:> ksetup /mapuser * ipauser
>>
>> d. Rebooted the machine, after the reboot windows is showing "TESTING.COM<
>> http://TESTING.COM> (Kerberos Realm)" in the login screen, but when I
>> enter a valid ipa user name it is throwing the following error.
>>
>> "The system could not log you on. Make sure your user name and domain are
>> correct, and then type your password again. Letters in passwords must be
>> typed using the correct case."
>>
>> But the kerberos server issuing the tickets, I could see this in logs.
>> Dont know what happened, hope I did something wrong, but not getting what
>> went wrong and where. Your suggestions are greatly appreciated.
>>
>> Thanks
>> Viji
>>
>>
>> On Fri, Jan 2, 2009 at 12:05 AM, Kozlov <mackoel at gmail.com <mailto:
>> mackoel at gmail.com>> wrote:
>>
>> Hi,
>>
>> I know this document and had set up samba3 that way.
>>
>> The problem is samba3 can't use kerberos from winxp. No way for now.
>>
>> Samba4 is in alpha stage, it uses ADS schema in LDAP and can't
>> work with FreeIPA.
>>
>> Samba is not needed for winxp to authenticate in freeipa.
>>
>> So if you need to authenticate winxp users in freeipa try to
>> follow the steps for setting up kerberos on winxp.
>>
>> Did you try the ipa-getkeytab with -e and -P?
>>
>> winxp needs that enctype and password to work with freeipa. And it
>> worked for me and some people on this list.
>>
>>
>> Best regards,
>>
>> Kostya
>>
>> Viji V Nair пишет:
>>
>> Hi,
>>
>> Yes, my goal is to setup an Active Directory substitution, but
>> not looking for a complete AD replacement. I really don't want
>> to use windows active directory. In my organization around 60%
>> of the users are using Linux as their desktop, remaining 40%
>> is on windows XP SP3.
>>
>> I want to setup single sign on using free IPA, I found the
>> attached document on the internet, so I tried to setup samba
>> as a client to freeIPA and autheticate windows clients to
>> samba and samba to freeIPA. (I tried this because I was
>> struggling with windows to authenticate to the kerberos)
>>
>> Please have a look at the attached document, I will try your
>> suggestions and post the results.
>>
>> Wishing you all a Happy and peaceful NEW YEAR.
>>
>> Thanks & Regards
>> Viji
>>
>> On Wed, Dec 31, 2008 at 9:22 PM, Kozlov <mackoel at gmail.com
>> <mailto:mackoel at gmail.com> <mailto:mackoel at gmail.com
>> <mailto:mackoel at gmail.com>>> wrote:
>>
>> Hi,
>>
>> I saw your posts on samba list :)
>> Is your goal to make the Active Directory substitution?
>>
>> Samba3 + FreeIPA won't work that way. Look for explanations on
>> freeipa-users list. You either need Samba4 or no kerberos
>> on Windows.
>>
>> However, samba3 can be used with FreeIPA as File Sharing
>> solution
>> and will use Single Sign On when you'll managed to setup
>> winxp for
>> IPA.
>>
>>
>> Best regards and Happy New Year!
>>
>> Kostya
>>
>> Viji V Nair пишет:
>> > Hi,
>> >
>> > I have setup samba as a PDC with kerberos and ldap. While
>> adding
>> the windows
>> > clients I get the following error message on the logs, and
>> windows says the
>> > user name and password is incorrect
>> >
>> > [2008/12/31 19:00:09, 0] lib/util_sock.c:write_data(1059)
>> > [2008/12/31 19:00:09, 0]
>> lib/util_sock.c:get_peer_addr_internal(1607)
>> > getpeername failed. Error was Transport endpoint is not
>> connected
>> > write_data: write failure in writing to client 0.0.0.0.
>> Error
>> Connection
>> > reset by peer
>> > [2008/12/31 19:00:09, 0] smbd/process.c:srv_send_smb(74)
>> > Error writing 4 bytes to client. -1. (Transport endpoint is
>> not connected)
>> >
>> > Any help on the same will be gratly appreciated.
>> >
>> > # rpm -qa |grep samba
>> > samba-client-3.2.5-0.23.fc10.x86_64
>> > samba-common-3.2.5-0.23.fc10.x86_64
>> > samba-3.2.5-0.23.fc10.x86_64
>> > samba-winbind-3.2.5-0.23.fc10.x86_64
>> >
>> > # uname -a
>> > Linux viji.testing.com <http://viji.testing.com>
>> <http://viji.testing.com>
>>
>> 2.6.27.7-134.fc10.x86_64 #1 SMP Mon Dec 1 22:21:35
>> > EST 2008 x86_64 x86_64 x86_64 GNU/Linux
>> >
>> > # cat /etc/samba/smb.conf
>> > [global]
>> > workgroup = TESTING.COM
>> <http://TESTING.COM> <http://TESTING.COM>
>>
>> > server string = Samba Server Version %v
>> > security = user
>> > passdb backend = smbpasswd
>> > socket options = TCP_NODELAY SO_RCVBUF=8192
>> SO_SNDBUF=8192
>> > os level = 33
>> > domain logons = yes
>> > domain master = yes
>> > local master = yes
>> > preferred master = yes
>> > wins support = yes
>> > template shell = /bin/false
>> > realm = TESTING.COM
>> <http://TESTING.COM> <http://TESTING.COM>
>>
>>
>> > use kerberos keytab = yes
>> > load printers = yes
>> > cups options = raw
>> > # log level = 3 passdb:5 auth:10
>> > [homes]
>> > comment = Home Directories
>> > browseable = no
>> > writable = yes
>> > [printers]
>> > comment = All Printers
>> > path = /var/spool/samba
>> > browseable = no
>> > guest ok = no
>> > writable = no
>> > printable = yes
>> > [share]
>> > comment = Share
>> > path = /share
>> > browseable = yes
>> > guest ok = no
>> > writable = yes
>> > valid users = admin
>> >
>> > Thanks
>> > Viji
>>
>>
>>
>> Viji V Nair пишет:
>>
>> Hi,
>>
>> I have done the modifications as suggested, but no luck,
>> getting the same error.
>>
>> # kinit admin
>> # ipa-addservice host/bmdata01.testing.com
>> <http://bmdata01.testing.com>
>> <http://bmdata01.testing.com>
>> <http://bmdata01.testing.com>
>>
>> # ipa-getkeytab -s viji.testing.com
>> <http://viji.testing.com> <http://viji.testing.com>
>> <http://viji.testing.com> -p host/bmdata01.testing.com
>> <http://bmdata01.testing.com>
>> <http://bmdata01.testing.com>
>> <http://bmdata01.testing.com> -k
>>
>> /etc/krb5.keytab
>>
>>
>> Could you please elaborate the steps which you have done to
>> get it working on both the client and server side?
>>
>> Thanks
>> Viji
>>
>> On Tue, Dec 30, 2008 at 11:46 PM, Kozlov
>> <mackoel at gmail.com <mailto:mackoel at gmail.com>
>> <mailto:mackoel at gmail.com <mailto:mackoel at gmail.com>>
>> <mailto:mackoel at gmail.com <mailto:mackoel at gmail.com>
>>
>> <mailto:mackoel at gmail.com <mailto:mackoel at gmail.com>>>>
>>
>> wrote:
>>
>> Hi,
>>
>> The minor comment is that kadmin is supposed to be
>> substituted with
>> ipa-addservice.
>>
>> The major comment is that you've missed ipa-getkeytab on
>> ipaserver
>> that actually SETS password that you then install on
>> winxp.
>>
>> And try to map all users to one: for example,
>> "* Administrator".
>>
>> Best regards,
>>
>> Kostya
>>
>> Viji V Nair пишет:
>>
>> Hi,
>>
>> Thank you for the information, I have tried all
>> these
>> steps, but
>> no success
>>
>> 1. On the IPA Server I have created a host principal
>> using the
>> following command.
>>
>> # kadmin -q "ank host/bmdata01.testing.com
>> <http://bmdata01.testing.com>
>> <http://bmdata01.testing.com>
>> <http://bmdata01.testing.com>
>> <http://bmdata01.testing.com>"
>>
>>
>>
>> 2. On the windows xp client
>>
>> C:> ksetup /setrealm TESTING.COM
>> <http://TESTING.COM> <http://TESTING.COM>
>> <http://TESTING.COM>
>> <http://TESTING.COM>
>> C:> ksetup /addkdc TESTING.COM
>> <http://TESTING.COM> <http://TESTING.COM>
>> <http://TESTING.COM>
>> <http://TESTING.COM> viji.bigmaps.com
>> <http://viji.bigmaps.com>
>> <http://viji.bigmaps.com> <http://viji.bigmaps.com>
>> <http://viji.bigmaps.com>
>> C:> ksetup /setmachpassword <password>
>> C:> ksetup /mapuser admin at TESTING.COM
>> <mailto:admin at TESTING.COM>
>> <mailto:admin at TESTING.COM <mailto:admin at TESTING.COM>>
>> <mailto:admin at TESTING.COM <mailto:admin at TESTING.COM>
>> <mailto:admin at TESTING.COM <mailto:admin at TESTING.COM>>>
>> <mailto:admin at TESTING.COM
>> <mailto:admin at TESTING.COM> <mailto:admin at TESTING.COM
>> <mailto:admin at TESTING.COM>>
>> <mailto:admin at TESTING.COM <mailto:admin at TESTING.COM>
>> <mailto:admin at TESTING.COM <mailto:admin at TESTING.COM>>>> guest
>>
>> C:> ksetup /mapuser * *
>>
>> After the above setup windows is showing
>> TESTING.COM <http://TESTING.COM>
>> <http://TESTING.COM>
>> <http://TESTING.COM> <http://TESTING.COM> as a
>> Kerberos
>> Realm on
>>
>> the login screen, but when I try to login using the
>> user name
>> "admin" it is throwing the following error.
>>
>>
>> "The system could not log you on. Make sure your
>> user
>> name and
>> domain are correct, and then type your password
>> again.
>> Letters
>> in passwords must be typed using the correct case."
>>
>> But the IPA (kerberos) server is issuing the
>> tickets,
>> the log shows:
>>
>> Dec 30 22:36:03 viji.testing.com
>> <http://viji.testing.com>
>> <http://viji.testing.com> <http://viji.testing.com>
>> <http://viji.testing.com> krb5kdc[5179](info):
>> AS_REQ
>> (7 etypes
>> {23 -133 -128 3 1 24 -135}) 172.16.33.112
>> <http://172.16.33.112>: NEEDED_PREAUTH:
>> admin at TESTING.COM <mailto:admin at TESTING.COM>
>> <mailto:admin at TESTING.COM <mailto:admin at TESTING.COM>>
>> <mailto:admin at TESTING.COM
>> <mailto:admin at TESTING.COM> <mailto:admin at TESTING.COM
>> <mailto:admin at TESTING.COM>>>
>> <mailto:admin at TESTING.COM <mailto:admin at TESTING.COM>
>> <mailto:admin at TESTING.COM <mailto:admin at TESTING.COM>>
>>
>> <mailto:admin at TESTING.COM
>> <mailto:admin at TESTING.COM> <mailto:admin at TESTING.COM
>> <mailto:admin at TESTING.COM>>>>
>>
>> for krbtgt/TESTING.COM <http://TESTING.COM>
>> <http://TESTING.COM>
>> <http://TESTING.COM>
>> <http://TESTING.COM>@TESTING.COM <http://TESTING.COM>
>> <http://TESTING.COM>
>> <http://TESTING.COM> <http://TESTING.COM>,
>> Additional
>>
>> pre-authentication required
>> Dec 30 22:36:03 viji.testing.com
>> <http://viji.testing.com>
>> <http://viji.testing.com> <http://viji.testing.com>
>> <http://viji.testing.com> krb5kdc[5179](info):
>> AS_REQ
>> (3 etypes
>> {23 3 1}) 172.16.33.112 <http://172.16.33.112>:
>> ISSUE:
>> authtime
>> 1230656763, etypes {rep=23 tkt=18 ses=23},
>> admin at TESTING.COM <mailto:admin at TESTING.COM>
>> <mailto:admin at TESTING.COM <mailto:admin at TESTING.COM>>
>> <mailto:admin at TESTING.COM
>> <mailto:admin at TESTING.COM> <mailto:admin at TESTING.COM
>> <mailto:admin at TESTING.COM>>>
>> <mailto:admin at TESTING.COM <mailto:admin at TESTING.COM>
>> <mailto:admin at TESTING.COM <mailto:admin at TESTING.COM>>
>>
>> <mailto:admin at TESTING.COM
>> <mailto:admin at TESTING.COM> <mailto:admin at TESTING.COM
>> <mailto:admin at TESTING.COM>>>>
>>
>> for krbtgt/TESTING.COM <http://TESTING.COM>
>> <http://TESTING.COM>
>> <http://TESTING.COM>
>> <http://TESTING.COM>@TESTING.COM <http://TESTING.COM>
>> <http://TESTING.COM>
>> <http://TESTING.COM> <http://TESTING.COM>
>>
>> Dec 30 22:36:03 viji.testing.com
>> <http://viji.testing.com>
>> <http://viji.testing.com> <http://viji.testing.com>
>> <http://viji.testing.com> krb5kdc[5179](info):
>> TGS_REQ
>> (7 etypes
>> {23 -133 -128 3 1 24 -135}) 172.16.33.112
>> <http://172.16.33.112>: ISSUE: authtime
>> 1230656763, etypes
>> {rep=23 tkt=18 ses=23}, admin at TESTING.COM
>> <mailto:admin at TESTING.COM>
>> <mailto:admin at TESTING.COM <mailto:admin at TESTING.COM>>
>> <mailto:admin at TESTING.COM
>> <mailto:admin at TESTING.COM> <mailto:admin at TESTING.COM
>> <mailto:admin at TESTING.COM>>>
>> <mailto:admin at TESTING.COM <mailto:admin at TESTING.COM>
>> <mailto:admin at TESTING.COM <mailto:admin at TESTING.COM>>
>>
>> <mailto:admin at TESTING.COM
>> <mailto:admin at TESTING.COM> <mailto:admin at TESTING.COM
>> <mailto:admin at TESTING.COM>>>>
>>
>> for host/bmdata01.testing.com
>> <http://bmdata01.testing.com> <http://bmdata01.testing.com>
>> <http://bmdata01.testing.com>
>> <http://bmdata01.testing.com>@TESTING.COM
>> <http://TESTING.COM>
>> <http://TESTING.COM> <http://TESTING.COM>
>> <http://TESTING.COM>
>>
>>
>> I have found some article on Microsoft website,
>> saying
>> this is a
>> bug and apply the latest service pack (SP3), I even
>> tried that,
>> but no success.
>>
>> http://support.microsoft.com/kb/825081
>>
>> Similar Thread:
>>
>> http://mailman.mit.edu/pipermail/kerberos/2006-May/009890.html
>>
>> Thanks & Regards
>>
>> Viji
>>
>>
>> On Mon, Dec 29, 2008 at 6:35 PM, Konstantin Kozlov
>> <kozlov at spbcas.ru <mailto:kozlov at spbcas.ru>
>> <mailto:kozlov at spbcas.ru <mailto:kozlov at spbcas.ru>>
>> <mailto:kozlov at spbcas.ru <mailto:kozlov at spbcas.ru>
>> <mailto:kozlov at spbcas.ru <mailto:kozlov at spbcas.ru>>>
>> <mailto:kozlov at spbcas.ru
>> <mailto:kozlov at spbcas.ru> <mailto:kozlov at spbcas.ru
>> <mailto:kozlov at spbcas.ru>>
>> <mailto:kozlov at spbcas.ru <mailto:kozlov at spbcas.ru>
>> <mailto:kozlov at spbcas.ru <mailto:kozlov at spbcas.ru>>>>> wrote:
>>
>> Hi,
>>
>> You can search the list for a similar thread and
>> here are the
>> steps
>> I've followed with success:
>>
>> Add host principal for winxp machine with the
>> encoding
>> des-cbc-crc
>> and passowrd (-P ioption for ipa-getkeytab).
>> Do not
>> store this
>> keytab in /etc/krb5.keytab but rather in some
>> other
>> file.
>>
>> Install MS Support Tools on WinXP, and run
>>
>> ksetup /setdomain ...
>> ksetup /addkdc ...
>> ksetup /setcomputerpassword ...
>> ksetup /mapuser * <your user>
>>
>> WinXP machine asks to login to Kerberos realm at
>> login screen.
>>
>> I failed to map one ipa-user to one win-user.
>> But may be
>> because I
>> didn't have enough time. If you will succeed
>> - leave
>> a note
>> here please.
>>
>> Best regards,
>>
>> Kostya
>>
>> Viji V Nair wrote:
>>
>> Hi,
>>
>> I am a new user of free-ipa, I have installed
>> the free-ipa
>> packages shipped with fedora 10. I have more
>> that 100 windows
>> clients to authenticate. Here is my problem,
>>
>> All the clients are XP SP2, I have
>> installed MIT
>> Kerberos for
>> Windows 3.2.2. Always the native windows
>> login
>> prompt appears
>> first, when i login to windows the kerberos
>> client is
>> asking for
>> authentication.
>>
>> I want to replace this windows authentication
>> with kerberos
>>
>> Any help on the same will be greatly
>> appreciated.
>>
>> Thanks
>> Viji
>>
>>
>>
>> ------------------------------------------------------------------------
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> <mailto:Freeipa-users at redhat.com>
>> <mailto:Freeipa-users at redhat.com
>> <mailto:Freeipa-users at redhat.com>>
>> <mailto:Freeipa-users at redhat.com
>> <mailto:Freeipa-users at redhat.com>
>> <mailto:Freeipa-users at redhat.com
>> <mailto:Freeipa-users at redhat.com>>>
>> <mailto:Freeipa-users at redhat.com
>> <mailto:Freeipa-users at redhat.com>
>> <mailto:Freeipa-users at redhat.com
>> <mailto:Freeipa-users at redhat.com>>
>> <mailto:Freeipa-users at redhat.com
>> <mailto:Freeipa-users at redhat.com>
>> <mailto:Freeipa-users at redhat.com
>> <mailto:Freeipa-users at redhat.com>>>>
>>
>>
>>
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>>
>>
>> -- Konstantin Kozlov
>> Department of Computational Biology,
>> Center for Advanced Studies,
>> SPb State Polytechnical University,
>> 195251, Polytechnicheskaya ul., 29,
>> bld 4, office 204,
>> St.Petersburg, Russia.
>>
>> Tel./fax: +7 812 596 2831
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> <mailto:Freeipa-users at redhat.com>
>> <mailto:Freeipa-users at redhat.com
>> <mailto:Freeipa-users at redhat.com>>
>> <mailto:Freeipa-users at redhat.com
>> <mailto:Freeipa-users at redhat.com>
>> <mailto:Freeipa-users at redhat.com
>> <mailto:Freeipa-users at redhat.com>>>
>> <mailto:Freeipa-users at redhat.com
>> <mailto:Freeipa-users at redhat.com>
>> <mailto:Freeipa-users at redhat.com
>> <mailto:Freeipa-users at redhat.com>>
>> <mailto:Freeipa-users at redhat.com
>> <mailto:Freeipa-users at redhat.com>
>> <mailto:Freeipa-users at redhat.com
>> <mailto:Freeipa-users at redhat.com>>>>
>>
>>
>>
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>>
>>
>>
>>
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> <mailto:Freeipa-users at redhat.com>
>> <mailto:Freeipa-users at redhat.com
>> <mailto:Freeipa-users at redhat.com>>
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>>
>>
>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20090105/3347ddb2/attachment.htm>
More information about the Freeipa-users
mailing list