[Freeipa-users] LDAP authentication into FreeIPA

Jimmy g17jimmy at gmail.com
Wed Nov 16 01:44:47 UTC 2011 

I did supply this to the list at the middle of September, but will re-send.
I know things get lost in the flow of emails/lists.

==============IPA and ksetup steps=================
I can't find the technet article right now, but here's what I did that makes
Win7(and xp, but xp doesn't need the gpedit step) work.

One note about this, I kept getting strange errors with any encryption
besides rc4-hmac. For my situation I think it is suitable(a static
environment once the systems are deployed,) but if others want to spend
more time hacking on the system MS messed up, go for it ;).

On FreeIPA:

i.    create the host principal in the web interface
ii.   create IPA users to correspond to windows users
iii.  reset the user's IPA password to a known password using the web
interface,
the user will be prompted to change at first log in. (is there a default
password or is this random? sorry if that's somewhere else in docs and I
missed it)
iv.    on the IPA server run `ipa-getkeytab -s [kdc DNS name] -p
host/[machine-name]
-e  arcfour-hmac -k krb5.keytab.[machine-name] -P`  (enter the password
that will be used in the `ksetup /secomputerpassword` below)

configure windows ksetup:

i.    ksetup /setdomain [REALM NAME]
ii.    ksetup /addkdc [REALM NAME] [kdc DNS name]
iii.    ksetup /addkpassword [REALM NAME] [kdc DNS name]
iv.    ksetup /setcomputerpassword [PASSWORD]
v.    ksetup /mapuser * *
vi.   Run gpedit.msc. Under >Computer Configuration\Windows Settings\Security
Settings\Local Policies\Security Options open the key called “Network
Security: Configure encryption types allowed for Kerberos” unselect
everything except RC4_HMAC_MD5
vii.    *** REBOOT ***
viii. log in as [user]@[REALM] with the initial password, you will be
prompted to change the password then logged in.



On Tue, Nov 15, 2011 at 6:32 PM, Dmitri Pal <dpal at redhat.com> wrote:

> **
> On 11/15/2011 04:01 PM, Jimmy wrote:
>
> I know the Windows systems don't have full integration with FreeIPA, but I
> have Windows systems authenticating to FreeIPA the same as they would to a
> regular MIT Kerberos system. The are not using the same config that is
> posted on the FreeIPA website where the IPA users are mapped to a single
> workstation user.
>
>
> Would you mind sharing your configuration and steps with us?
>
>
> Thank you
> Dmitri
>
>
>  Jimmy
>
> On Tue, Nov 15, 2011 at 3:40 PM, Steven Jones <Steven.Jones at vuw.ac.nz>wrote:
>
>> Hi,
>>
>> I dont think there is much realistic hope of getting windows to
>> authenticate to freeIPA......the others should be able to and the fedora
>> docs on the freeipa documentation web page list a specific method for macs
>> for one (but I have not tried it yet, but I will be)....ubuntu has been
>> mentioned before....I have to try/do that as well....
>>
>> Siggi sent me some notes a while back,
>>
>> =============
>>
>> Ubuntu client install
>>
>>
>> https://help.ubuntu.com/10.04/serverguide/C/kerberos.html
>>
>>
>> sudo apt-get install krb5-user libpam-krb5 libpam-ccreds
>> auth-client-config
>>
>>
>> maybe also need libpam-ldap libnss-ldap
>>
>>
>> Use ipa-getkeytab on a IPA server to retrieve the keytab for the host,
>> and copy this to /etc/krb5.keytab on the Ubuntu client.
>>
>> [root at ipa1 ~]# ipa-getkeytab -s ipa1.ix.test.com -p host/
>> ubuntu-client.ix.test.com -k /tmp/buntuclient_krb5.keytab
>>
>> If you prefer you can use something like CFengine to automate the whole
>> process.
>>
>> =============
>>
>> Hope that helps.............
>>
>>
>> regards
>>
>> Steven Jones
>>
>> Technical Specialist - Linux RHCE
>>
>> Victoria University, Wellington, NZ
>>
>> 0064 4 463 6272
>>
>> ________________________________
>> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com]
>> on behalf of Boris Epstein [borepstein at gmail.com]
>> Sent: Wednesday, 16 November 2011 9:03 a.m.
>> To: freeipa-users at redhat.com
>> Subject: [Freeipa-users] LDAP authentication into FreeIPA
>>
>> Hello all,
>>
>> This may be my general LDAP illiteracy - I only dealth with it briefly
>> years ago - but I am trying to set up a FreeIPA server on Fedora 16 to have
>> my Macs and Ubuntu Linux machines as well as a couple of Windows boxes to
>> authenticate to - and seem not to be making much forward progress. Is there
>> a step-by-step writeup on how to do that sort of thing?
>>
>> Thanks for any and all help.
>>
>> Boris.
>>
>>  _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>
>
> _______________________________________________
> Freeipa-users mailing listFreeipa-users at redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IPA project,
> Red Hat Inc.
>
>
> -------------------------------
> Looking to carve out IT costs?www.redhat.com/carveoutcosts/
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20111115/e395c6e5/attachment.htm>

More information about the Freeipa-users mailing list