Kerberos, Windows and FreeIPA

Dmitri Pal dpal at redhat.com
Sun Oct 25 20:39:40 EDT 2015


On 10/23/2015 02:58 PM, Randolph Morgan wrote:
> We are running a mixed environment network.  However, all of our 
> authentication is performed via LDAP, we do not have an AD on our 
> network, nor do we have any Windows servers, all of our servers are 
> running RHEL.  We are working on implementing a new authentication 
> server that is running FreeIPA, but would like to do single sign-on via 
> Kerberos.  I have been reading posts for the better part of two weeks 
> and can not find instructions that work, on how to get Windows (XP - 10) 
> to authenticate via Kerberos.  Here is a list of some of the sites that 
> I have looked at:
>
> https://support.microsoft.com/en-us/kb/837361
> https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/idmapper.html
> https://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/domain-member.html#id2573486 
>
> http://www.freeipa.org/page/Windows_authentication_against_FreeIPA
> https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/Using_Microsoft_Windows.html 
> (This is an older post but I was getting desperate)
> http://www.freeipa.org/page/Implementing_FreeIPA_in_a_mixed_Environment_%28Windows/Linux%29_-_Step_by_step 
>
>
> So here is the problem, when I attempt to set the Realm on the Windows 
> client I receive the following error:
>
> C:\Users\randym>ksetup /setrealm CHEM.BYU.EDU
> Setting Dns Domain
> Failed to set dns domain info: 0xc0000022
> Failed /SetRealm : 0xc0000022
>
> I have tried several varieties of this command, including setting the 
> domain instead of the realm and always get the same result.  Can someone 
> please put together a step by step process that includes both server 
> side and client side for configuring Kerberos to work with Windows and 
> FreeIPA.
>
> Thank You in advance,
>
> Randy
>

I know that people were able to do it by creating local accounts that
match IPA user accounts.
AFAIK this is the only way how things can be accomplished with direct
integration of Windows systems into IPA.
There is work going on to support Samba for Windows systems and IPA for
Linux and have trusts between them but this work is not complete on both
sides. IPA needs to grow Global Catalog capability and Samba needs to
complete port to MIT Kerberos. There are several things that are still
missing there to be able to switch from Heimdal implementation.

Also if something is not working with Windows setup you found on the
freeIPA site please address your question to freeipa-users list. Also
archives of that list might help too.

-- 
Thank you,
Dmitri Pal

Engineering Director, Identity Management and Platform Security
Red Hat, Inc.



More information about the Kerberos mailing list