On la, 17 joulu 2022, Alejo Diaz via FreeIPA-devel wrote:
Currently, if I follow the steps I can't get working Windows 10 or
11
(both 22H2) with FreeIPA v4.10.1.
FreeIPA team does not support enrolling Windows systems into FreeIPA.
I assume you are referring to
https://www.freeipa.org/page/Windows_authentication_against_FreeIPA
This is not supported and any problems reported aren't going to be
solved. Since Samba AD is a fairly good AD replacement, our
recommendation is to enroll Windows systems to Samba AD and then
establish trust between Samba AD and FreeIPA.
Please, update/add this steps:
1. The algorithm "arcfour-hmac" isn't necessary in this versions (I
don't know in others versions). Just skip the "-e" option or specify
with "-e aes256-cts-hmac-sha1-96,aes128-cts-hmac-sha1-96".
2. Enforce use of TCP when use Kerberos in Windows running the follows
commands after the step 5 of "Configure Windows (ksetup)" section. This
steps helps when you logged via VPN or when the packet size is > 1500
(MTU limited!).
```
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters" /v
"MaxPacketSize" /t REG_DWORD /d 1 /f
ksetup /setrealmflags [REALM_NAME] tcpsupported
```
FYI, for about a decade FreeIPA default krb5.conf configuration forces
use of TCP:
[libdefaults]
udp_preference_limit = 0
3. Ensure the `permitted_enctypes` in `/etc/krb5.conf` configuration
on
FreeIPA servers (and replicas). Next, delete
`/etc/krb5.conf.d/crypto-policies` (I don't test if updating this file
from a tool works). This ensure that every ticket sended from FreeIPA
kdc always use the `permitted_enctypes` algorithms.
This is not needed at all. Please follow the documentation:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/...
In essence, in RHEL 8:
# update-crypto-policies --set DEFAULT:AD-SUPPORT
and in RHEL 9:
# update-crypto-policies --set DEFAULT:AD-SUPPORT-LEGACY
4. The step 8 from "Configure Windows (ksetup)" section
isn't necessary. Windows creates the user automatically.
5. If you don't want type <user>@<domain> for every uncached user, run the
followed command to hard-coded domain in logon (add after step 5 of "Configure
Windows (ksetup)" section?):
```
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v
"DefaultLogonDomain /t REG_SZ /d "[REALM_NAME]" /f
```
6. The step 1 of "Configure Windows (ksetup)" section changes from
"/setdomain" to "/setrealm". Actually, both works but I don't know
if in the future this command changes.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland