[Freeipa-users] Once Again: Freeipa and Windows 7

Dmitri Pal dpal at redhat.com
Mon Aug 1 12:36:21 UTC 2011 

On 07/31/2011 04:44 AM, roland.kaeser at intersoft-networks.ch wrote:
> Hello
>
> I'm trying again to setup a pilot freeipa infrastructure for linux/afs
> servers and windows clients. So the first (and most hard) task is to
> join a "windows 7" into freeipa/kerberos.
> I already read the available documentation and setup my pilot client
> with the following parameters:
>
> ksetup /setdomain SAMPLE.CH
> ksetup /SetRealm SAMPLE.CH
> ksetup /AddKdc SAMPLE.CH freeipa.sample.ch
> ksetup /AddKpasswd SAMPLE.CH freeipa.sample.ch
> ksetup /SetComputerPassword MYPASSWORDHERE
> ksetup /MapUser * *
>
> Changed the available encryption types for kerberos in secpool.msc
> under Local Policies/Security Options/Network Security/Network
> Security: Configure encryption types allowed for Kerberos to:
> DES_CBC_CRC,DES_CBC_MD5,RC4_HMAC_MD5,AES128_HMAC_SHA1,AES256_HMAC_SHA1, Furter
> encryption types
>
> Created a host principal in the freeipa webinterface and set the OTP
> to MYPASSWORDHERE.

You might be confused with this feature. This password is used with
ipa-client auto enroll so that one can join a client into the IPA
domain. The OTP is used for the authentication in this scenario.
In your case you are not using the client so OTP is irrelevant.
We do not test Win 7 hosts as clients but we know that in the past some
people had success with such configuration.

First please search archives as there was an earlier attempt with
freeipa 2.0 earlier this year. As I recall it was successful. And
earlier attempt with 1.x was covered here:
http://freeipa.org/page/Implementing_FreeIPA_in_a_mixed_Environment_%28Windows/Linux%29_-_Step_by_step

>
> The clock of the windows 7 machine is synced with the ntpd of the
> freeipa server.
>
> When I try to login I get the usual password change request dialog on
> the windows 7 client and the following krb5log entry:
>
>     Jul 31 10:39:05 freeipa.sample.ch krb5kdc[6780](info): AS_REQ (7
> etypes {18 17 23 3 1 24 -135}) 192.168.1.90: CLIENT KEY EXPIRED:
> isn-roland at SAMPLE.CH for krbtgt/SAMPLE.CH at SAMPLE.CH, Password has expired
>
> When try to change the password I get only "The username or password
> is wrong" with the following krb5log entries:
>
>   Jul 31 10:39:43 freeipa.sample.ch krb5kdc[6780](info): AS_REQ (7
> etypes {18 17 23 3 1 24 -135}) 192.168.1.90: NEEDED_PREAUTH:
> isn-roland at SAMPLE.CH for kadmin/changepw at SAMPLE.CH, Additional
> pre-authentication required
>    Jul 31 10:39:43 freeipa.sample.ch krb5kdc[6780](info): preauth
> (timestamp) verify failure: Decrypt integrity check failed
>    Jul 31 10:39:43 freeipa.sample.ch krb5kdc[6780](info): AS_REQ (7
> etypes {18 17 23 3 1 24 -135}) 192.168.1.90: PREAUTH_FAILED:
> isn-roland at SAMPLE.CH for kadmin/changepw at SAMPLE.CH, Decrypt integrity
> check failed
>    Jul 31 10:39:43 freeipa.sample.ch krb5kdc[6780](info): preauth
> (timestamp) verify failure: Decrypt integrity check failed
>    Jul 31 10:39:43 freeipa.sample.ch krb5kdc[6780](info): AS_REQ (7
> etypes {18 17 23 3 1 24 -135}) 192.168.1.90: PREAUTH_FAILED:
> isn-roland at SAMPLE.CH for kadmin/changepw at SAMPLE.CH, Decrypt integrity
> check failed
>
> After long googeling and long investigation, I can't see the issue
> behind this problems.
>
> Does someone has setup a similar environment and give me some advice
> to get this up and running?
>
> Regards
>
> Roland
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110801/8bbdcf27/attachment.htm>

More information about the Freeipa-users mailing list