Hello, list. I have installed freeipa server 4.10.2-8 under RockyLinux and would like to setup windows clients to join freeipa domain. I followed the guide https://www.freeipa.org/page/Windows_authentication_against_FreeIPA. When I enter user credentials for the first time windows asks to change password, after password is changed it does not login.
After that every attempt results in the "wrong user or password" message. Looking at kerberos log it seems that password is correct but windows does not let the user in for some reason. In audit log it says that login was refused with some error that does not explain anything. Time is in sync as well as timezone.
There are a lot of posts saying that this should work but I don't have any clues where to look. Any ideas what might be wrong?
On Аўт, 16 кра 2024, Anton Menshutin via FreeIPA-users wrote:
Hello, list. I have installed freeipa server 4.10.2-8 under RockyLinux and would like to setup windows clients to join freeipa domain. I followed the guide https://www.freeipa.org/page/Windows_authentication_against_FreeIPA.
This is a hack and is not supported at all. It is explicitly stated on that page: -------------------------------------------- Note also that the described configuration is not supported by FreeIPA development team and also is not supported by Red Hat Enterprise Linux Identity Management product. A work on making possible to login to Windows machines already enrolled into a trusted Active Directory forest is ongoing and is not available yet in any released FreeIPA version. --------------------------------------------
When I enter user credentials for the first time windows asks to change password, after password is changed it does not login.
After that every attempt results in the "wrong user or password" message. Looking at kerberos log it seems that password is correct but windows does not let the user in for some reason. In audit log it says that login was refused with some error that does not explain anything. Time is in sync as well as timezone.
There are a lot of posts saying that this should work but I don't have any clues where to look. Any ideas what might be wrong?
Joining Windows clients to IPA domain is not supported. These configurations may or may not work for some people. There are no plans to enable this use case at all.
freeipa-users@lists.fedorahosted.org