<div>This was installed using yum. I need to be able to authenticate users against Kerberos from a Windows client machine and it fails at login saying the username/password is incorrect. The krb5kdc.log shows:<br></div><div>
<br></div><div>Sep 16 20:53:32 csp-idm.pdh.csp krb5kdc[1227](info): AS_REQ (7 etypes {18 17 23 3 1 24 -135}) <a href="http://192.168.201.9">192.168.201.9</a>: NEEDED_PREAUTH: oper@PDH.CSP for krbtgt/PDH.CSP@PDH.CSP, Additional pre-authentication required<br>
Sep 16 20:53:32 csp-idm.pdh.csp krb5kdc[1227](info): preauth (timestamp) verify failure: Decrypt integrity check failed<br>Sep 16 20:53:32 csp-idm.pdh.csp krb5kdc[1227](info): AS_REQ (7 etypes {18 17 23 3 1 24 -135}) <a href="http://192.168.201.9">192.168.201.9</a>: PREAUTH_FAILED: oper@PDH.CSP for krbtgt/PDH.CSP@PDH.CSP, Decrypt integrity check failed<br>
Sep 16 20:53:32 csp-idm.pdh.csp krb5kdc[1227](info): preauth (timestamp) verify failure: Decrypt integrity check failed<br>Sep 16 20:53:32 csp-idm.pdh.csp krb5kdc[1227](info): AS_REQ (7 etypes {18 17 23 3 1 24 -135}) <a href="http://192.168.201.9">192.168.201.9</a>: PREAUTH_FAILED: oper@PDH.CSP for krbtgt/PDH.CSP@PDH.CSP, Decrypt integrity check failed<br>
</div><div><br></div><div>I know the user's password I'm using is correct because I can kinit with that username/password on the IPA server. I used the ipa-getkeytab to set the machine password, but I'm not sure that it's doing what I would normally do in a stand alone MIT Kerberos server using kadmin. Using ksetup on the windows7 client I can reconfigure for a couple different realms and authentication works just fine, but I'm missing something on the IPA config that would allow the same authentication. <br>
</div><div>Thanks,Jimmy</div><div class="gmail_quote">On Fri, Sep 16, 2011 at 4:45 PM, Dmitri Pal <span dir="ltr"><<a href="mailto:dpal@redhat.com">dpal@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div bgcolor="#ffffff" text="#000000"><div class="im">
On 09/16/2011 02:26 PM, Jimmy wrote:
<blockquote type="cite">I can create a keytab using ipa-getkeytab for any
entity, say for instance a user, and store a password in the
keytab but as soon as the user attempts to kinit with the set
password it expires and must be changed. Is this happening with
the host(workstation) entities?<br>
</blockquote>
<br></div>
Are you using latest hand built IPA from the master?<br>
There is a bug about passwords being expired.<br>
A more stable version is available from Fedora if you are using
Fedora or from 2.1 branch.<br>
<br>
<blockquote type="cite"><div><div class="h5">
<br>
<div class="gmail_quote">On Fri, Sep 16, 2011 at 9:44 AM, Jimmy <span dir="ltr"><<a href="mailto:g17jimmy@gmail.com" target="_blank">g17jimmy@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204, 204, 204);padding-left:1ex">
<div>When I do not specify the encryption type it does put
them all in in a single go. I just was attempting to
eliminate the other types in case that was creating a
problem. The system defaults to type x18
(aes256-cts-hmac-sha1-96). Thanks for your help on this.<br>
</div>
<div><br>
</div>
<div>[root@csp-idm etc]# klist -kte krb5.keytab.sys1 <br>
Keytab name: WRFILE:krb5.keytab.sys1<br>
KVNO Timestamp Principal<br>
---- -----------------
--------------------------------------------------------<br>
6 09/16/11 13:40:03 <a href="mailto:host/ews1-cybsec.pdh.csp@PDH.CSP" target="_blank">host/ews1-cybsec.pdh.csp@PDH.CSP</a>
(aes256-cts-hmac-sha1-96) <br>
6 09/16/11 13:40:03 <a href="mailto:host/ews1-cybsec.pdh.csp@PDH.CSP" target="_blank">host/ews1-cybsec.pdh.csp@PDH.CSP</a>
(aes128-cts-hmac-sha1-96) <br>
6 09/16/11 13:40:04 <a href="mailto:host/ews1-cybsec.pdh.csp@PDH.CSP" target="_blank">host/ews1-cybsec.pdh.csp@PDH.CSP</a>
(des3-cbc-sha1) <br>
6 09/16/11 13:40:04 <a href="mailto:host/ews1-cybsec.pdh.csp@PDH.CSP" target="_blank">host/ews1-cybsec.pdh.csp@PDH.CSP</a>
(arcfour-hmac) <br>
<br>
</div>
<div>
<div><br>
<div class="gmail_quote">On Fri, Sep 16, 2011 at 9:35 AM,
Simo Sorce <span dir="ltr"><<a href="mailto:simo@redhat.com" target="_blank">simo@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204, 204, 204);padding-left:1ex">
<div>On Fri, 2011-09-16 at 09:31 -0400, Jimmy wrote:<br>
> ipa-getkeytab -s csp-idm.pdh.csp -p
host/ews1-cybsec.pdh.csp -k<br>
> krb5.keytab<br>
> -P [entering into the main keytab
/etc/krb5.keytab]<br>
> ipa-getkeytab -s csp-idm.pdh.csp -p
host/ews1-cybsec.pdh.csp -k<br>
> krb5.keytab.sys1 -P [entering into a new
keytab krb5.keytab.sys1]<br>
> ipa-getkeytab -s csp-idm.pdh.csp -p
host/ews1-cybsec.pdh.csp -e<br>
> aes256-cts-hmac-sha1-96 -k krb5.keytab -P<br>
> ipa-getkeytab -s csp-idm.pdh.csp -p
host/ews1-cybsec.pdh.csp -e<br>
> aes128-cts-hmac-sha1-96 -k krb5.keytab -P<br>
> ipa-getkeytab -s csp-idm.pdh.csp -p
host/ews1-cybsec.pdh.csp -e<br>
> aes256-cts-hmac-sha1-96 -k krb5.keytab.sys1 -P<br>
> ipa-getkeytab -s csp-idm.pdh.csp -p
host/ews1-cybsec.pdh.csp -e<br>
> aes128-cts-hmac-sha1-96 -k krb5.keytab.sys1 -P<br>
><br>
<br>
</div>
This is not how it works.<br>
You must define all types in one single go.<br>
Every time you invoke ipa-getkeytab for a principal
you are discarding<br>
any previous key in the KDC, and only the last one is
available.<br>
<div>
<div><br>
Simo.<br>
<br>
--<br>
Simo Sorce * Red Hat, Inc * New York<br>
<br>
</div>
</div>
</blockquote>
</div>
<br>
</div>
</div>
</blockquote>
</div>
<br>
</div></div><pre>_______________________________________________
Freeipa-users mailing list
<a href="mailto:Freeipa-users@redhat.com" target="_blank">Freeipa-users@redhat.com</a>
<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre> </blockquote>
<br>
<br>
<pre cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a href="http://www.redhat.com/carveoutcosts/" target="_blank">www.redhat.com/carveoutcosts/</a>
</pre> </div>
<br>_______________________________________________<br>
Freeipa-users mailing list<br>
<a href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a><br>
<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br></blockquote></div><br>