[Freeipa-users] Windows Client Problem

Tue Dec 30 17:15:47 UTC 2008

Hi,

Thank you for the information, I have tried all these steps, but no success

1. On the IPA Server I have created a host principal using the following
command.

# kadmin -q "ank host/bmdata01.testing.com"

2. On the windows xp client

C:> ksetup /setrealm TESTING.COM
C:> ksetup /addkdc TESTING.COM viji.bigmaps.com
C:> ksetup /setmachpassword <password>
C:> ksetup /mapuser admin at TESTING.COM guest
C:> ksetup /mapuser * *

After the above setup windows is showing TESTING.COM as a Kerberos Realm on
the login screen, but when I try to login using the user name "admin" it is
throwing the following error.

"The system could not log you on. Make sure your user name and domain are
correct, and then type your password again. Letters in passwords must be
typed using the correct case."

But the IPA (kerberos) server is issuing the tickets, the log shows:

Dec 30 22:36:03 viji.testing.com krb5kdc[5179](info): AS_REQ (7 etypes {23
-133 -128 3 1 24 -135}) 172.16.33.112: NEEDED_PREAUTH: admin at TESTING.COM for
krbtgt/TESTING.COM at TESTING.COM, Additional pre-authentication required
Dec 30 22:36:03 viji.testing.com krb5kdc[5179](info): AS_REQ (3 etypes {23 3
1}) 172.16.33.112: ISSUE: authtime 1230656763, etypes {rep=23 tkt=18
ses=23}, admin at TESTING.COM for krbtgt/TESTING.COM at TESTING.COM
Dec 30 22:36:03 viji.testing.com krb5kdc[5179](info): TGS_REQ (7 etypes {23
-133 -128 3 1 24 -135}) 172.16.33.112: ISSUE: authtime 1230656763, etypes
{rep=23 tkt=18 ses=23}, admin at TESTING.COM for host/bmdata01.testing.com@
TESTING.COM

I have found some article on Microsoft website, saying this is a bug and
apply the latest service pack (SP3), I even tried that, but no success.

http://support.microsoft.com/kb/825081

Similar Thread:
http://mailman.mit.edu/pipermail/kerberos/2006-May/009890.html

Thanks & Regards

Viji

On Mon, Dec 29, 2008 at 6:35 PM, Konstantin Kozlov <kozlov at spbcas.ru> wrote:

> Hi,
>
> You can search the list for a similar thread and here are the steps I've
> followed with success:
>
> Add host principal for winxp machine with the encoding des-cbc-crc and
> passowrd (-P ioption for ipa-getkeytab). Do not store this keytab in
> /etc/krb5.keytab but rather in some other file.
>
> Install MS Support Tools on WinXP, and run
>
> ksetup /setdomain ...
> ksetup /addkdc ...
> ksetup /setcomputerpassword ...
> ksetup /mapuser * <your user>
>
> WinXP machine asks to login to Kerberos realm at login screen.
>
> I failed to map one ipa-user to one win-user. But may be because I didn't
> have enough time. If you will succeed - leave a note here please.
>
> Best regards,
>
> Kostya
>
> Viji V Nair wrote:
>
>> Hi,
>>
>> I am a new user of free-ipa, I have installed the free-ipa packages
>> shipped with fedora 10. I have more that 100 windows clients to
>> authenticate. Here is my problem,
>>
>> All the clients are XP SP2, I have installed MIT Kerberos for Windows
>> 3.2.2. Always the native windows login prompt appears first, when i login to
>> windows the kerberos client is asking for authentication.
>>
>> I want to replace this windows authentication with kerberos
>>
>> Any help on the same will be greatly appreciated.
>>
>> Thanks
>> Viji
>>
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>
>
> --
> Konstantin Kozlov
> Department of Computational Biology,
> Center for Advanced Studies,
> SPb State Polytechnical University,
> 195251, Polytechnicheskaya ul., 29,
> bld 4, office 204,
> St.Petersburg, Russia.
>
> Tel./fax: +7 812 596 2831
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20081230/358b370a/attachment.htm>