I am attempting to follow this guide (https://www.rootusers.com/how-to-login-to-windows-with-a-freeipa-account/) to add a windows box to my cluster of FreeIPA-managed linux (rhel 8/9 and ubuntu) boxes.
I have gotten to the point where I have a user account on the windows box connected to FreeIPA, I change the password (since it always starts expired) but then I am hit with this error:
“To sign in remotely, you need the right to sign in through Remote Desktop Services. By default, members of the Remote Desktop Users group have this right. If the group you’re in doesn’t have this right, or if the right has been removed from the Remote Desktop Users group, you need to be granted this right manually.”
My user account is in the "Remote Desktop Users" and I have verified that this group has the correct permissions to allow logon via RDP (as well as verifying that no user groups are denied from logging onto the box).
I also added the user to the Remote Desktop Services group policy, but that did not work.
I am able to RDP in as Administrator, so I tried adding the user to Administrator just to ensure it had the right permissions, but that did not work.
I have been able to replicate this behavior with a fresh box and different FreeIPA accounts.
Any help, advice, or resources would be greatly appreciated. TIA
Duncan Small via FreeIPA-users wrote:
I am attempting to follow this guide (https://www.rootusers.com/how-to-login-to-windows-with-a-freeipa-account/) to add a windows box to my cluster of FreeIPA-managed linux (rhel 8/9 and ubuntu) boxes.
This is a hack and is not supported at all. It is explicitly stated on that page: -------------------------------------------- Note also that the described configuration is not supported by FreeIPA development team and also is not supported by Red Hat Enterprise Linux Identity Management product. A work on making possible to login to Windows machines already enrolled into a trusted Active Directory forest is ongoing and is not available yet in any released FreeIPA version. --------------------------------------------
I have gotten to the point where I have a user account on the windows box connected to FreeIPA, I change the password (since it always starts expired) but then I am hit with this error:
“To sign in remotely, you need the right to sign in through Remote Desktop Services. By default, members of the Remote Desktop Users group have this right. If the group you’re in doesn’t have this right, or if the right has been removed from the Remote Desktop Users group, you need to be granted this right manually.”
My user account is in the "Remote Desktop Users" and I have verified that this group has the correct permissions to allow logon via RDP (as well as verifying that no user groups are denied from logging onto the box).
I also added the user to the Remote Desktop Services group policy, but that did not work.
I am able to RDP in as Administrator, so I tried adding the user to Administrator just to ensure it had the right permissions, but that did not work.
I have been able to replicate this behavior with a fresh box and different FreeIPA accounts.
Any help, advice, or resources would be greatly appreciated.
Joining Windows clients to IPA domain is not supported. These configurations may or may not work for some people. There are no plans to enable this use case at all.
rob
I am fully aware that this is a hack, I was hoping the open source community could add something to the conversation.
Thank you for your addition, rob
freeipa-users@lists.fedorahosted.org