[Freeipa-users] Windows client logon

Jimmy g17jimmy at gmail.com
Fri Sep 16 21:24:48 UTC 2011 

This was installed using yum. I need to be able to authenticate users
against Kerberos from a Windows client machine and it fails at login saying
the username/password is incorrect. The krb5kdc.log shows:

Sep 16 20:53:32 csp-idm.pdh.csp krb5kdc[1227](info): AS_REQ (7 etypes {18 17
23 3 1 24 -135}) 192.168.201.9: NEEDED_PREAUTH: oper at PDH.CSP for
krbtgt/PDH.CSP at PDH.CSP, Additional pre-authentication required
Sep 16 20:53:32 csp-idm.pdh.csp krb5kdc[1227](info): preauth (timestamp)
verify failure: Decrypt integrity check failed
Sep 16 20:53:32 csp-idm.pdh.csp krb5kdc[1227](info): AS_REQ (7 etypes {18 17
23 3 1 24 -135}) 192.168.201.9: PREAUTH_FAILED: oper at PDH.CSP for
krbtgt/PDH.CSP at PDH.CSP, Decrypt integrity check failed
Sep 16 20:53:32 csp-idm.pdh.csp krb5kdc[1227](info): preauth (timestamp)
verify failure: Decrypt integrity check failed
Sep 16 20:53:32 csp-idm.pdh.csp krb5kdc[1227](info): AS_REQ (7 etypes {18 17
23 3 1 24 -135}) 192.168.201.9: PREAUTH_FAILED: oper at PDH.CSP for
krbtgt/PDH.CSP at PDH.CSP, Decrypt integrity check failed

I know the user's password I'm using is correct because I can kinit with
that username/password on the IPA server. I used the ipa-getkeytab to set
the machine password, but I'm not sure that it's doing what I would normally
do in a stand alone MIT Kerberos server using kadmin. Using ksetup on the
windows7 client I can reconfigure for a couple different realms and
authentication works just fine, but I'm missing something on the IPA config
that would allow the same authentication.
Thanks,Jimmy
On Fri, Sep 16, 2011 at 4:45 PM, Dmitri Pal <dpal at redhat.com> wrote:

>  On 09/16/2011 02:26 PM, Jimmy wrote:
>
> I can create a keytab using ipa-getkeytab for any entity, say for instance
> a user, and store a password in the keytab but as soon as the user attempts
> to kinit with the set password it expires and must be changed. Is this
> happening with the host(workstation) entities?
>
>
> Are you using latest hand built IPA from the master?
> There is a bug about passwords being expired.
> A more stable version is available from Fedora if you are using Fedora or
> from 2.1 branch.
>
>
> On Fri, Sep 16, 2011 at 9:44 AM, Jimmy <g17jimmy at gmail.com> wrote:
>
>> When I do not specify the encryption type it does put them all in in a
>> single go. I just was attempting to eliminate the other types in case that
>> was creating a problem. The system defaults to type x18
>> (aes256-cts-hmac-sha1-96). Thanks for your help on this.
>>
>>  [root at csp-idm etc]# klist -kte krb5.keytab.sys1
>> Keytab name: WRFILE:krb5.keytab.sys1
>> KVNO Timestamp Principal
>> ---- -----------------
>> --------------------------------------------------------
>> 6 09/16/11 13:40:03 host/ews1-cybsec.pdh.csp at PDH.CSP(aes256-cts-hmac-sha1-96)
>> 6 09/16/11 13:40:03 host/ews1-cybsec.pdh.csp at PDH.CSP(aes128-cts-hmac-sha1-96)
>> 6 09/16/11 13:40:04 host/ews1-cybsec.pdh.csp at PDH.CSP (des3-cbc-sha1)
>> 6 09/16/11 13:40:04 host/ews1-cybsec.pdh.csp at PDH.CSP (arcfour-hmac)
>>
>>
>> On Fri, Sep 16, 2011 at 9:35 AM, Simo Sorce <simo at redhat.com> wrote:
>>
>>> On Fri, 2011-09-16 at 09:31 -0400, Jimmy wrote:
>>> > ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -k
>>> > krb5.keytab
>>> > -P            [entering into the main keytab /etc/krb5.keytab]
>>> > ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -k
>>> > krb5.keytab.sys1 -P   [entering into a new keytab krb5.keytab.sys1]
>>> > ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e
>>> > aes256-cts-hmac-sha1-96 -k krb5.keytab -P
>>> > ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e
>>> > aes128-cts-hmac-sha1-96 -k krb5.keytab -P
>>> > ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e
>>> > aes256-cts-hmac-sha1-96 -k krb5.keytab.sys1 -P
>>> > ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e
>>> > aes128-cts-hmac-sha1-96 -k krb5.keytab.sys1 -P
>>> >
>>>
>>>  This is not how it works.
>>> You must define all types in one single go.
>>> Every time you invoke ipa-getkeytab for a principal you are discarding
>>> any previous key in the KDC, and only the last one is available.
>>>
>>> Simo.
>>>
>>> --
>>> Simo Sorce * Red Hat, Inc * New York
>>>
>>>
>>
> _______________________________________________
> Freeipa-users mailing listFreeipa-users at redhat.comhttps://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IPA project,
> Red Hat Inc.
>
>
> -------------------------------
> Looking to carve out IT costs?www.redhat.com/carveoutcosts/
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110916/d365c9ce/attachment.htm>

More information about the Freeipa-users mailing list