[Freeipa-users] Windows client logon
Jimmy
g17jimmy at gmail.com
Fri Sep 16 13:31:30 UTC 2011
I tried that but still cannot successfully log in as a IPA user. The same
system can be configured as a Kerberos client(non-IPA) defined in MIT
Kerberos, and authenticate against MIT Kerberos. The system uses AES when
authenticating to MIT Kerberos so those are the only encryption types I
defined manually. In the network trace for this transaction I see the error
KRB_AP_ERR_BAD_INTEGRITY (31)
Commands used(different iterations):
ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -k krb5.keytab
-P [entering into the main keytab /etc/krb5.keytab]
ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -k
krb5.keytab.sys1 -P [entering into a new keytab krb5.keytab.sys1]
ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e
aes256-cts-hmac-sha1-96 -k krb5.keytab -P
ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e
aes128-cts-hmac-sha1-96 -k krb5.keytab -P
ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e
aes256-cts-hmac-sha1-96 -k krb5.keytab.sys1 -P
ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e
aes128-cts-hmac-sha1-96 -k krb5.keytab.sys1 -P
Log entries:
Sep 15 21:21:04 csp-idm.pdh.csp krb5kdc[1227](info): AS_REQ (7 etypes {18 17
23 3 1 24 -135}) 192.168.201.9: NEEDED_PREAUTH: oper at PDH.CSP for
krbtgt/PDH.CSP at PDH.CSP, Additional pre-authentication required
Sep 15 21:21:04 csp-idm.pdh.csp krb5kdc[1227](info): preauth (timestamp)
verify failure: Decrypt integrity check failed
Sep 15 21:21:04 csp-idm.pdh.csp krb5kdc[1227](info): AS_REQ (7 etypes {18 17
23 3 1 24 -135}) 192.168.201.9: PREAUTH_FAILED: oper at PDH.CSP for
krbtgt/PDH.CSP at PDH.CSP, Decrypt integrity check failed
Sep 15 21:21:04 csp-idm.pdh.csp krb5kdc[1227](info): preauth (timestamp)
verify failure: Decrypt integrity check failed
Sep 15 21:21:04 csp-idm.pdh.csp krb5kdc[1227](info): AS_REQ (7 etypes {18 17
23 3 1 24 -135}) 192.168.201.9: PREAUTH_FAILED: oper at PDH.CSP for
krbtgt/PDH.CSP at PDH.CSP, Decrypt integrity check failed
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110916/33ec46d9/attachment.htm>
More information about the Freeipa-users
mailing list