[Freeipa-users] Windows client logon
Jimmy
g17jimmy at gmail.com
Mon Sep 19 14:10:02 UTC 2011
I have verified that the password set for the workstation in the kerberos
host principal(using ipa-getkeytab) and the password on the host (using
ksetup) are the same. I'm still getting the " Decrypt integrity check
failed" errors. I have also verified that the system clock is accurate on
both the KDC and the workstation. What else could be causing this? As I have
said, this system authenticates flawlessly against other KDC's I have set
up.
Jimmy
On Fri, Sep 16, 2011 at 5:55 PM, Simo Sorce <simo at redhat.com> wrote:
> On Fri, 2011-09-16 at 17:24 -0400, Jimmy wrote:
> > This was installed using yum. I need to be able to authenticate users
> > against Kerberos from a Windows client machine and it fails at login
> > saying the username/password is incorrect. The krb5kdc.log shows:
> >
> >
> >
> > Sep 16 20:53:32 csp-idm.pdh.csp krb5kdc[1227](info): AS_REQ (7 etypes
> > {18 17 23 3 1 24 -135}) 192.168.201.9: NEEDED_PREAUTH: oper at PDH.CSP
> > for krbtgt/PDH.CSP at PDH.CSP, Additional pre-authentication required
> > Sep 16 20:53:32 csp-idm.pdh.csp krb5kdc[1227](info): preauth
> > (timestamp) verify failure: Decrypt integrity check failed
> > Sep 16 20:53:32 csp-idm.pdh.csp krb5kdc[1227](info): AS_REQ (7 etypes
> > {18 17 23 3 1 24 -135}) 192.168.201.9: PREAUTH_FAILED: oper at PDH.CSP
> > for krbtgt/PDH.CSP at PDH.CSP, Decrypt integrity check failed
> > Sep 16 20:53:32 csp-idm.pdh.csp krb5kdc[1227](info): preauth
> > (timestamp) verify failure: Decrypt integrity check failed
> > Sep 16 20:53:32 csp-idm.pdh.csp krb5kdc[1227](info): AS_REQ (7 etypes
> > {18 17 23 3 1 24 -135}) 192.168.201.9: PREAUTH_FAILED: oper at PDH.CSP
> > for krbtgt/PDH.CSP at PDH.CSP, Decrypt integrity check failed
>
>
> These logs say that either the password is wrong, or the clock on your
> windows client is way off (more than 5 min. skew) wrt the ipa server.
> >
> > I know the user's password I'm using is correct because I can kinit
> > with that username/password on the IPA server. I used the
> > ipa-getkeytab to set the machine password, but I'm not sure that it's
> > doing what I would normally do in a stand alone MIT Kerberos server
> > using kadmin. Using ksetup on the windows7 client I can reconfigure
> > for a couple different realms and authentication works just fine, but
> > I'm missing something on the IPA config that would allow the same
> > authentication.
>
> The reason to have a "password" (windows) or a keytab (unix) for the
> machine is to be able to validate the account against a possible rouge
> KDC+attacker at login prompt pair.
>
> But you are not even getting to the validation step as you are failing
> to get a TGT for the user in the first place.
>
> If the user password is right and your Freeipa REALM name is indeed
> PDH.CSP then it is probably clock skew.
>
> Simo.
>
> --
> Simo Sorce * Red Hat, Inc * New York
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110919/f4ea4250/attachment.htm>
More information about the Freeipa-users
mailing list