[37273] in Kerberos
Re: Kerberos, Windows and FreeIPA
daemon@ATHENA.MIT.EDU (Jean-Christophe GAY)
Sat Oct 24 15:05:11 2015
Date: Sat, 24 Oct 2015 21:04:47 +0200 (CEST)
From: Jean-Christophe GAY <jean-christophe.gay@dauphine.fr>
To: Russ Allbery <eagle@eyrie.org>
Message-ID: <1965660408.3230122.1445713487539.JavaMail.zimbra@dauphine.fr>
In-Reply-To: <871tclfifz.fsf@hope.eyrie.org>
MIME-Version: 1.0
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Hi,
I think this may be working. When I was trying to make Microsoft's AD to authenticate to a Kerberos server and not the AD controlleurs we managed to get a stand alone windows to authenticate to a RHEL MIT KDC. I'm not at work atm so I can't check this on our wiki, but theses may be able to help you :
http://serverfault.com/questions/129854/authenticating-windows-7-against-mit-kerberos-5
https://msdn.microsoft.com/en-us/library/bb742433.aspx
Cordialement,
Jean-Christophe Gay
----- Mail original -----
> De: "Russ Allbery" <eagle@eyrie.org>
> À: "Randolph Morgan" <randym@chem.byu.edu>
> Cc: kerberos@mit.edu
> Envoyé: Vendredi 23 Octobre 2015 22:17:36
> Objet: Re: Kerberos, Windows and FreeIPA
>
> Randolph Morgan <randym@chem.byu.edu> writes:
>
> > We are running a mixed environment network. However, all of our
> > authentication is performed via LDAP, we do not have an AD on our
> > network, nor do we have any Windows servers, all of our servers are
> > running RHEL. We are working on implementing a new authentication
> > server that is running FreeIPA, but would like to do single sign-on via
> > Kerberos. I have been reading posts for the better part of two weeks
> > and can not find instructions that work, on how to get Windows (XP - 10)
> > to authenticate via Kerberos.
>
> There used to be various workarounds that would let you do this, but when
> we asked Microsoft about it, they said it was officially unsupported and
> very likely to break. I think subsequent releases of Windows may have
> broken it.
>
> I believe the only supported way to get a Windows system to use Kerberos
> for its integrated login is to join the host to a domain (whether AD or
> Samba).
>
> You can, of course, run Kerberos software on unjoined Windows hosts, get
> tickets, and authenticate to Kerberos services without any trouble. The
> problems arise when you want the core OS stuff to use Kerberos directly,
> since I believe all of that is effectively gated on being domain-joined.
>
> --
> Russ Allbery (eagle@eyrie.org) <http://www.eyrie.org/~eagle/>
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
