Skip to content

Fix Windows getkeytab enctypes #60

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
HadleySo wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Fix Windows getkeytab enctypes #60

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
2a57725
Adjusting formatting in title and notes
HadleySo Oct 17, 2025
a518e2b
Setting explicit keytab AES enctypes, adding GPO logon domain
HadleySo Oct 17, 2025
4e955ef
Adding note on Kerberos PAC, MS-PAC, and MS-KILE
HadleySo Oct 17, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 16 additions & 10 deletions src/page/Windows_authentication_against_FreeIPA.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,3 @@
Windows_authentication_against_FreeIPA
======================================



Windows authentication against FreeIPA
======================================

Expand Down Expand Up @@ -70,16 +65,16 @@ Configure FreeIPA
4. On the IPA server run
ipa-getkeytab -s [kdc DNS name]
-p host/[machine-name]
-e arcfour-hmac
-e aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96,aes256-cts-hmac-sha384-192
-k krb5.keytab.[machine-name]
-P
At the prompt enter a random MACHINE_PASSWORD
(you will enter this later on the windows machine too).
Note: you can change the -e argument to include also
AESenctypesfromFreeIPA2.1.4andhigher. (FreeIPA ticket ``\ ```2038`` <https://fedorahosted.org/freeipa/ticket/2038>`__\ ``)
Note: you can change the -e argument to include also
AES enctypes from FreeIPA2.1.4 and higher. (FreeIPA ticket `2038 <https://fedorahosted.org/freeipa/ticket/2038>`_)

Note: Windows machines names cannot exceed 15 characters
-- pointed out by Han Boetes on 2013-01-03 on freeipa-users mailing list
Note: Windows machines names cannot exceed 15 characters
-- pointed out by Han Boetes on 2013-01-03 on freeipa-users mailing list



Expand Down Expand Up @@ -111,6 +106,17 @@ Configure Windows (ksetup)
and higher.** (FreeIPA ticket
`2038 <https://fedorahosted.org/freeipa/ticket/2038>`__)

Note: To enable users to login without entering the full realm name (eg use ``ksharp`` instead of ``ksharp@IPA.EXAMPLE.COM``) set the default logon domain
to the Kerberos realm name.
To set the default logon domain with Group Policy, see
`KB: 2908796 <https://learn.microsoft.com/en-us/troubleshoot/windows-server/group-policy/change-default-logon-domain-name>`_.

Note: It may not be required to add local user accounts.
On logon, Windows will use information from privilege attributes certificate (PAC) in the Kerberos ticket to get full name and profile path to create a profile. However these profiles will not be listed under local accounts,
only under ``HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList`` registry key, but account functionality is the same.
More information on Kerberos PAC under `Identity Mapping - Security Identifiers <https://freeipa.readthedocs.io/en/latest/designs/id-mapping.html#security-identifiers>`_ and
the `MS-PAC <https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-pac/166d8064-c863-41e1-9c23-edaaa5f36962>`_ and `MS-KILE <https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-kile/2a32282e-dd48-4ad9-a542-609804b02cc9>`_ specifications.

--------------

The FreeIPA team thanks 'Jimmy' for providing this information on the
Expand Down