On pe, 27 syys 2019, Joyce Babu via FreeIPA-users wrote:
I followed the instructions for setting up Windows10 to use FreeIPA
for
authentication
https://www.freeipa.org/page/Windows_authentication_against_FreeIPA
Just to make clear: this is a hack and basically not supported.
After following the instruction, the default domain displayed on
windows 10
login screen is EXAMPLE and
EXAMPLE.COM. I am able to login by entering
EXAMPLE.COM\user as the username. But when I enter the username without the
leading domain name, login fails with 'Client not found in Kerberos
database' error.
Sep 27 17:17:58
ipa.example.org krb5kdc[419](info): AS_REQ (6 etypes
{aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17),
DEPRECATED:arcfour-hmac(23), DEPRECATED:arcfour-hmac-exp(24), (-135),
DEPRECATED:des-cbc-md5(3)}) 192.168.0.185: CLIENT_NOT_FOUND: user@EXAMPLE
for krbtgt/EXAMPLE@EXAMPLE, Client not found in Kerberos database
That's
expected behavior for AD environment, there NetBIOS name of the
domain is supported as a realm name (alias to the actual realm name).
Is it possible to change the default domain in windows login screen
to
EXAMPLE.COM from EXAMPLE?
No. FreeIPA does not support aliases for the realm name
and without that
it considers EXAMPLE a separate realm and does not support serving it.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland