[Freeipa-users] Windows client logon

Jimmy g17jimmy at gmail.com
Mon Sep 19 19:53:57 UTC 2011 

I have a WinXP client configured to authenticate now but it looks like
FreeIPA is sending the ticket encrypted with AES and XP does not support
AES. The user is getting authenticated, just not able to decrypt the ticket.

Sep 19 19:50:36 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ (7 etypes {23
-133 -128 3 1 24 -135}) 192.168.201.150: NEEDED_PREAUTH: oper at PDH.CSP for
krbtgt/PDH.CSP at PDH.CSP, Additional pre-authentication required
Sep 19 19:50:36 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ (1 etypes {23})
192.168.201.150: ISSUE: authtime 1316461836, etypes {rep=23 tkt=18 ses=23},
oper at PDH.CSP for krbtgt/PDH.CSP at PDH.CSP
Sep 19 19:50:37 csp-idm.pdh.csp krb5kdc[1246](info): TGS_REQ (7 etypes {23
-133 -128 3 1 24 -135}) 192.168.201.150: ISSUE: authtime 1316461836, etypes
{rep=23 tkt=18 ses=23}, oper at PDH.CSP for host/crm1.pdh.csp at PDH.CSP


On Mon, Sep 19, 2011 at 1:32 PM, Simo Sorce <simo at redhat.com> wrote:

> On Mon, 2011-09-19 at 13:05 -0400, Jimmy wrote:
> > Once I changed the password for 'admin' I now get this error on the
> > windows system:
> >
> >
> >
> > Insufficient system resources exist to complete the requested service
> >
> >
> > and get this in the log no matter if I use the correct(changed)
> > password or if I use a known bad password:
> > Sep 19 17:01:19 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ (7 etypes
> > {18 17 23 3 1 24 -135}) 192.168.201.9: NEEDED_PREAUTH: admin at PDH.CSP
> > for krbtgt/PDH.CSP at PDH.CSP, Additional pre-authentication required
> >
> >
> > I even deleted the user and all associated profile information on the
> > windows system and still it won't work any more.
> >
> >
> Ok somehow we generate a key the windows client doesn't like or know how
> to work with. While MIT's clients are just fine with.
> The way we generate keys is by setting a special random seed that is
> handed back to the client when the preauth error is generated, perhaps
> Windows is not liking what it sees ?
>
> Any chance you can try with an older client, I wonder if it is a
> regression in win7 ?
>
> Simo.
>
> --
> Simo Sorce * Red Hat, Inc * New York
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110919/1acece9f/attachment.htm>

More information about the Freeipa-users mailing list