[37272] in Kerberos
Re: Kerberos, Windows and FreeIPA
daemon@ATHENA.MIT.EDU (Russ Allbery)
Fri Oct 23 16:17:54 2015
From: Russ Allbery <eagle@eyrie.org>
To: Randolph Morgan <randym@chem.byu.edu>
In-Reply-To: <562A8352.5040304@chem.byu.edu> (Randolph Morgan's message of
"Fri, 23 Oct 2015 12:58:26 -0600")
Date: Fri, 23 Oct 2015 13:17:36 -0700
Message-ID: <871tclfifz.fsf@hope.eyrie.org>
MIME-Version: 1.0
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Randolph Morgan <randym@chem.byu.edu> writes:
> We are running a mixed environment network. However, all of our
> authentication is performed via LDAP, we do not have an AD on our
> network, nor do we have any Windows servers, all of our servers are
> running RHEL. We are working on implementing a new authentication
> server that is running FreeIPA, but would like to do single sign-on via
> Kerberos. I have been reading posts for the better part of two weeks
> and can not find instructions that work, on how to get Windows (XP - 10)
> to authenticate via Kerberos.
There used to be various workarounds that would let you do this, but when
we asked Microsoft about it, they said it was officially unsupported and
very likely to break. I think subsequent releases of Windows may have
broken it.
I believe the only supported way to get a Windows system to use Kerberos
for its integrated login is to join the host to a domain (whether AD or
Samba).
You can, of course, run Kerberos software on unjoined Windows hosts, get
tickets, and authenticate to Kerberos services without any trouble. The
problems arise when you want the core OS stuff to use Kerberos directly,
since I believe all of that is effectively gated on being domain-joined.
--
Russ Allbery (eagle@eyrie.org) <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
