I followed the instructions for setting up Windows10 to use FreeIPA for authentication
https://www.freeipa.org/page/Windows_authentication_against_FreeIPA
After following the instruction, the default domain displayed on windows 10 login screen is EXAMPLE and EXAMPLE.COM. I am able to login by entering EXAMPLE.COM\user as the username. But when I enter the username without the leading domain name, login fails with 'Client not found in Kerberos database' error.
Sep 27 17:17:58 ipa.example.org krb5kdc[419](info): AS_REQ (6 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), DEPRECATED:arcfour-hmac(23), DEPRECATED:arcfour-hmac-exp(24), (-135), DEPRECATED:des-cbc-md5(3)}) 192.168.0.185: CLIENT_NOT_FOUND: user@EXAMPLE for krbtgt/EXAMPLE@EXAMPLE, Client not found in Kerberos database
Is it possible to change the default domain in windows login screen to EXAMPLE.COM from EXAMPLE?
Thanks, Joyce Babu
On pe, 27 syys 2019, Joyce Babu via FreeIPA-users wrote:
I followed the instructions for setting up Windows10 to use FreeIPA for authentication
https://www.freeipa.org/page/Windows_authentication_against_FreeIPA
Just to make clear: this is a hack and basically not supported.
After following the instruction, the default domain displayed on windows 10 login screen is EXAMPLE and EXAMPLE.COM. I am able to login by entering EXAMPLE.COM\user as the username. But when I enter the username without the leading domain name, login fails with 'Client not found in Kerberos database' error.
Sep 27 17:17:58 ipa.example.org krb5kdc[419](info): AS_REQ (6 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), DEPRECATED:arcfour-hmac(23), DEPRECATED:arcfour-hmac-exp(24), (-135), DEPRECATED:des-cbc-md5(3)}) 192.168.0.185: CLIENT_NOT_FOUND: user@EXAMPLE for krbtgt/EXAMPLE@EXAMPLE, Client not found in Kerberos database
That's expected behavior for AD environment, there NetBIOS name of the domain is supported as a realm name (alias to the actual realm name).
Is it possible to change the default domain in windows login screen to EXAMPLE.COM from EXAMPLE?
No. FreeIPA does not support aliases for the realm name and without that it considers EXAMPLE a separate realm and does not support serving it.
freeipa-users@lists.fedorahosted.org