Kerberos, Windows and FreeIPA

[Russ Allbery]

Randolph Morgan <randym at chem.byu.edu> writes:

> We are running a mixed environment network.  However, all of our
> authentication is performed via LDAP, we do not have an AD on our
> network, nor do we have any Windows servers, all of our servers are
> running RHEL.  We are working on implementing a new authentication
> server that is running FreeIPA, but would like to do single sign-on via
> Kerberos.  I have been reading posts for the better part of two weeks
> and can not find instructions that work, on how to get Windows (XP - 10)
> to authenticate via Kerberos.

There used to be various workarounds that would let you do this, but when
we asked Microsoft about it, they said it was officially unsupported and
very likely to break.  I think subsequent releases of Windows may have
broken it.

I believe the only supported way to get a Windows system to use Kerberos
for its integrated login is to join the host to a domain (whether AD or
Samba).

You can, of course, run Kerberos software on unjoined Windows hosts, get
tickets, and authenticate to Kerberos services without any trouble.  The
problems arise when you want the core OS stuff to use Kerberos directly,
since I believe all of that is effectively gated on being domain-joined.

-- 
Russ Allbery (eagle at eyrie.org)              <http://www.eyrie.org/~eagle/>