banners
From Free IPA
[edit]
Windows authentication against FreeIPA
On FreeIPA:
1. Create the host principal in the web interface
2. Create IPA users to correspond to windows users
3. Reset the user's IPA password to a known password using the web interface or CLI, the user will be prompted to change at first log in. (
4. On the IPA server run
ipa-getkeytab -s [kdc DNS name]
-p host/[machine-name]
-e arcfour-hmac
-k krb5.keytab.[machine-name]
-P
At the prompt enter a random MACHINE_PASSWORD
(you will enter this later on the windows machine too).
Note: you can change the -e argument to include also'
AES enctypes once the fix for [2038] is released in a stable version.
Configure windows ksetup:
1. ksetup /setdomain [REALM NAME]
2. ksetup /addkdc [REALM NAME] [kdc DNS name]
3. ksetup /addkpassword [REALM NAME] [kdc DNS name]
4. ksetup /setcomputerpassword [MACHINE_PASSWORD] (the one used above)
5. ksetup /mapuser * *
6. Run gpedit.msc, open the key called:
"Network Security: Configure encryption types allowed for Kerberos”
under:
Computer Configuration
Windows Settings
Security Settings
Local Policies
Security Options
and deselect everything except RC4_HMAC_MD5
7. *** REBOOT ***
8. Log in as [user]@[REALM] with the initial password, you will be prompted
to change the password then logged in.
Note: Step 6 will not be needed when the fix for [2038] is released in a stable version.
---
The FreeIPA team thanks 'Jimmy' for providing this information on the freeipa-users mailing list.
