Integrar FreeIPA con Windows

Notas sobre configurar FreeIPA con Windows.
Se usa como referencia los procedimientos listados al final, pero se agregan unos pasos adicionales para la autenticación en Windows con FreeIPA

Copy paste de artículos mencionados

1. Create the host principal in the web interface
2. Create IPA users to correspond to Windows users
3. Reset the user's IPA password to a known password using the web interface or CLI,
   the user will be prompted to change at first log in.
4. On the IPA server run
 ipa-getkeytab -s [kdc DNS name]
               -p host/[machine-name]
               -e  arcfour-hmac
               -k krb5.keytab.[machine-name]
               -P
 At the prompt enter a random MACHINE_PASSWORD
 (you will enter this later on the windows machine too).
 Note: you can change the -e argument to include also
 AES enctypes from FreeIPA 2.1.4 and higher. (FreeIPA ticket 2038)

 Note: Windows machines names cannot exceed 15 characters
  -- pointed out by Han Boetes on 2013-01-03 on freeipa-users mailing list


Configure Windows (ksetup)

1. ksetup /setdomain [REALM NAME]
2. ksetup /addkdc [REALM NAME] [kdc DNS name]
3. ksetup /addkpasswd [REALM NAME] [kdc DNS name]
4. ksetup /setcomputerpassword [MACHINE_PASSWORD] (the one used above)
5. ksetup /mapuser * *
6. Run gpedit.msc, open the key called:
 "Network Security: Configure encryption types allowed for Kerberos”
 under:
   Computer Configuration
     Windows Settings
       Security Settings
         Local Policies
           Security Options
 and deselect everything except RC4_HMAC_MD5
7. *** REBOOT ***
8. Add local user accounts for all users that need to be able to log in.
9. Log in as [user]@[REALM] with the initial password, you will be prompted
to change the password then logged in.

Note: Configuring encryption types is not needed from FreeIPA 2.1.4 and higher. (FreeIPA ticket 2038)

Qué hago distinto

Se configura RDP para darle acceso a 'Everyone'

Se crean los usuarios de IPA de formato nombre.apellido

Se cambia el dominio por defecto en el terminal server:

En regedit:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon¬AltDefaultDomainName = <DOMINIO EN MAYUSCULAS>

Configurar el default domain como política:

To enable default domain for logon, follow these steps:

1.Click Start, and then click Run.
2.In the Open box, type gpedit.msc, and then click OK.
3.Under Computer Configuration, expand Administrative Settings, expand System, and then click Logon.
4.In the right pane, double click the setting "Assign a default domain for logon" and choose Enabled.
5.Under Options you may provide the name of the domain you want to be set as default

Note: Use Group Policy Management console(GPMC.msc) to create a GPO and configure the settings at domain or OU level.


como administradores del terminal

Para hacer login:

<DOMINIO FREEIPA>\<username del ipa, por ejemplo nicolas.bardier>

Pide poner la contraseña nuevamente

Más información

• https://support.microsoft.com/es-uy/help/2908796/using-gpos-to-change-default-logon-domain-name-in-the-logon-screen
• https://social.technet.microsoft.com/Forums/windows/en-US/de5fea8e-e327-4d71-a599-546dea543149/change-default-logon-domain-name-in-the-logon-screen?forum=w7itpronetworking 
• https://www.freeipa.org/page/Windows_authentication_against_FreeIPA