Hello everyone, Since I upgraded our server to Fedora 38, we cannot access samba shares on that Linux server from windows pc.
So i'm trying now to log in to a windows pc using a freeipa user account. I followed instructions I found in the following documentations: https://freeipa.org/page/Windows_authentication_against_FreeIPA https://computingforgeeks.com/join-windows-system-to-freeipa-realm/ https://www.rootusers.com/how-to-login-to-windows-with-a-freeipa-account/#:~:text=Configure%20FreeIPA,for%20me%2C%20this%20is%20prefilled . https://www.server-world.info/en/note?os=CentOS_7&p=ipa&f=8 Basically, I added the windows PC (winpc) in the freeipa host list using the web UI then $ ipa-getkeytab -s server.domain.local -p host/winpc.domain.local@DOMAIN.LOCAL -e aes256-cts,aes128-cts,aes256-sha2,aes128-sha2,camellia256-cts-cmac,camellia128-cts-cmac -k /etc/krb5.keytab -P and in a terminal on the windows PC: > ksetup /setdomain DOMAIN.LOCAL > ksetup /addkdc DOMAIN.LOCAL server.domain.local > ksetup /addkpasswd DOMAIN.LOCAL server.domain.local > ksetup /setcomputerpassword p4$$w0rD > ksetup /mapuser * * I also created a local user 'smith' on the windows PC which also exists on the freeipa server: $ ipa user-show smith User login: smith First name: John Last name: Smith Home directory: /home/smith Login shell: /usr/bin/zsh Principal name: smith@DOMAIN.LOCAL Principal alias: smith@DOMAIN.LOCAL Email address: smith@DOMAIN.LOCAL UID: 1010 GID: 1025 SMB Home Directory Drive: A: Account disabled: False Password: True Member of groups: admins, ipausers, trust admins, editors Roles: helpdesk, User Administrator, Enrollment Administrator, Security Architect, IT Security Specialist, FleetCommander Desktop Profile Administrators, IT Specialist Kerberos keys available: True But everytime I try to login with smith@DOMAIN.LOCAL and freeipa password of that user, I get the following message: "We could not connect you with these credentials because your domain was not available. ..." and when I check the logs in krb5dc.log Jun 26 09:14:12 server.domain.local krb5kdc[75284](info): AS_REQ (6 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), DEPRECATED:arcfour-hmac(23), DEPRECATED:arcfour-hmac-exp(24), UNSUPPORTED:(-135), UNSUPPORTED:des-cbc-md5(3)}) 10.0.21.204: NEEDED_PREAUTH: smith@DOMAIN.LOCAL for krbtgt/DOMAIN.LOCAL@DOMAIN.LOCAL, Additional pre-authentication required Jun 26 09:14:12 server.domain.local krb5kdc[75292](info): AS_REQ (6 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), DEPRECATED:arcfour-hmac(23), DEPRECATED:arcfour-hmac-exp(24), UNSUPPORTED:(-135), UNSUPPORTED:des-cbc-md5(3)}) 10.0.21.204: ISSUE: authtime 1687763652, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, smith@DOMAIN.LOCAL for krbtgt/DOMAIN.LOCAL@DOMAIN.LOCAL Jun 26 09:14:12 server.domain.local krb5kdc[4979](info): TGS_REQ (5 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), DEPRECATED:arcfour-hmac(23), DEPRECATED:arcfour-hmac-exp(24), UNSUPPORTED:(-135)}) 10.0.21.204: ISSUE: authtime 1687763652, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, smith@DOMAIN.LOCAL for host/winpc.domain.local@DOMAIN.LOCAL Also I don't know if this is related to the login problem, but when i reboot the windows pc, i get in the same log file a message saying 'Client not found in Kerberos database.' Jun 26 09:13:49 server.domain.local krb5kdc[75284](info): AS_REQ (6 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), DEPRECATED:arcfour-hmac(23), DEPRECATED:arcfour-hmac-exp(24), UNSUPPORTED:(-135), UNSUPPORTED:des-cbc-md5(3)}) 10.0.21.204: CLIENT_NOT_FOUND: winpc$@DOMAIN.LOCAL for krbtgt/DOMAIN.LOCAL@DOMAIN.LOCAL, Client not foundin Kerberos database Jun 26 09:13:49 server.domain.local krb5kdc[75284](info): AS_REQ (6 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), DEPRECATED:arcfour-hmac(23), DEPRECATED:arcfour-hmac-exp(24), UNSUPPORTED:(-135), UNSUPPORTED:des-cbc-md5(3)}) 10.0.21.204: CLIENT_NOT_FOUND: winpc$@DOMAIN.LOCAL for krbtgt/DOMAIN.LOCAL@DOMAIN.LOCAL, Client not foundin Kerberos database So what am I missing? Best regards F.
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
