[Freeipa-users] Once Again: Freeipa and Windows 7
roland.kaeser at intersoft-networks.ch
roland.kaeser at intersoft-networks.ch
Sun Jul 31 08:44:18 UTC 2011
Hello
I'm trying again to setup a pilot freeipa infrastructure for linux/afs
servers and windows clients. So the first (and most hard) task is to join
a "windows 7" into freeipa/kerberos.
I already read the available documentation and setup my pilot client with
the following parameters:
ksetup /setdomain SAMPLE.CH
ksetup /SetRealm SAMPLE.CH
ksetup /AddKdc SAMPLE.CH freeipa.sample.ch
ksetup /AddKpasswd SAMPLE.CH freeipa.sample.ch
ksetup /SetComputerPassword MYPASSWORDHERE
ksetup /MapUser * *
Changed the available encryption types for kerberos in secpool.msc under
Local Policies/Security Options/Network Security/Network Security:
Configure encryption types allowed for Kerberos to:
DES_CBC_CRC,DES_CBC_MD5,RC4_HMAC_MD5,AES128_HMAC_SHA1,AES256_HMAC_SHA1,
Furter encryption types
Created a host principal in the freeipa webinterface and set the OTP to
MYPASSWORDHERE.
The clock of the windows 7 machine is synced with the ntpd of the freeipa
server.
When I try to login I get the usual password change request dialog on the
windows 7 client and the following krb5log entry:
Jul 31 10:39:05 freeipa.sample.ch krb5kdc[6780](info): AS_REQ (7
etypes {18 17 23 3 1 24 -135}) 192.168.1.90: CLIENT KEY EXPIRED:
isn-roland at SAMPLE.CH for krbtgt/SAMPLE.CH at SAMPLE.CH, Password has expired
When try to change the password I get only "The username or password is
wrong" with the following krb5log entries:
Jul 31 10:39:43 freeipa.sample.ch krb5kdc[6780](info): AS_REQ (7 etypes
{18 17 23 3 1 24 -135}) 192.168.1.90: NEEDED_PREAUTH: isn-roland at SAMPLE.CH
for kadmin/changepw at SAMPLE.CH, Additional pre-authentication required
Jul 31 10:39:43 freeipa.sample.ch krb5kdc[6780](info): preauth
(timestamp) verify failure: Decrypt integrity check failed
Jul 31 10:39:43 freeipa.sample.ch krb5kdc[6780](info): AS_REQ (7 etypes
{18 17 23 3 1 24 -135}) 192.168.1.90: PREAUTH_FAILED: isn-roland at SAMPLE.CH
for kadmin/changepw at SAMPLE.CH, Decrypt integrity check failed
Jul 31 10:39:43 freeipa.sample.ch krb5kdc[6780](info): preauth
(timestamp) verify failure: Decrypt integrity check failed
Jul 31 10:39:43 freeipa.sample.ch krb5kdc[6780](info): AS_REQ (7 etypes
{18 17 23 3 1 24 -135}) 192.168.1.90: PREAUTH_FAILED: isn-roland at SAMPLE.CH
for kadmin/changepw at SAMPLE.CH, Decrypt integrity check failed
After long googeling and long investigation, I can't see the issue behind
this problems.
Does someone has setup a similar environment and give me some advice to
get this up and running?
Regards
Roland
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110731/c261e76c/attachment.htm>
More information about the Freeipa-users
mailing list