[Freeipa-users] Windows client logon

Simo Sorce simo at redhat.com
Mon Sep 19 20:17:36 UTC 2011 

Ah stupid me,
When using Windows XP you must generate a keytab that does not use the
AES enctype. If you include the AES enctype when generating keys for the
host, you are telling the KDC that the host knows how to use AES.

You should probably just use arcfour only for WinXP as that client only
understand RC4 and DES, and DES is not worth using.

Simo.

On Mon, 2011-09-19 at 15:53 -0400, Jimmy wrote:
> I have a WinXP client configured to authenticate now but it looks like
> FreeIPA is sending the ticket encrypted with AES and XP does not
> support AES. The user is getting authenticated, just not able to
> decrypt the ticket.
> 
> 
> 
> Sep 19 19:50:36 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ (7 etypes
> {23 -133 -128 3 1 24 -135}) 192.168.201.150: NEEDED_PREAUTH:
> oper at PDH.CSP for krbtgt/PDH.CSP at PDH.CSP, Additional pre-authentication
> required
> Sep 19 19:50:36 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ (1 etypes
> {23}) 192.168.201.150: ISSUE: authtime 1316461836, etypes {rep=23
> tkt=18 ses=23}, oper at PDH.CSP for krbtgt/PDH.CSP at PDH.CSP
> Sep 19 19:50:37 csp-idm.pdh.csp krb5kdc[1246](info): TGS_REQ (7 etypes
> {23 -133 -128 3 1 24 -135}) 192.168.201.150: ISSUE: authtime
> 1316461836, etypes {rep=23 tkt=18 ses=23}, oper at PDH.CSP for
> host/crm1.pdh.csp at PDH.CSP
> 
> 
> 
> On Mon, Sep 19, 2011 at 1:32 PM, Simo Sorce <simo at redhat.com> wrote:
>         On Mon, 2011-09-19 at 13:05 -0400, Jimmy wrote:
>         > Once I changed the password for 'admin' I now get this error
>         on the
>         > windows system:
>         >
>         >
>         >
>         > Insufficient system resources exist to complete the
>         requested service
>         >
>         >
>         > and get this in the log no matter if I use the
>         correct(changed)
>         > password or if I use a known bad password:
>         > Sep 19 17:01:19 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ
>         (7 etypes
>         > {18 17 23 3 1 24 -135}) 192.168.201.9: NEEDED_PREAUTH:
>         admin at PDH.CSP
>         > for krbtgt/PDH.CSP at PDH.CSP, Additional pre-authentication
>         required
>         >
>         >
>         > I even deleted the user and all associated profile
>         information on the
>         > windows system and still it won't work any more.
>         >
>         >
>         
>         Ok somehow we generate a key the windows client doesn't like
>         or know how
>         to work with. While MIT's clients are just fine with.
>         The way we generate keys is by setting a special random seed
>         that is
>         handed back to the client when the preauth error is generated,
>         perhaps
>         Windows is not liking what it sees ?
>         
>         Any chance you can try with an older client, I wonder if it is
>         a
>         regression in win7 ?
>         
>         Simo.
>         
>         --
>         Simo Sorce * Red Hat, Inc * New York
>         
>         
> 

-- 
Simo Sorce * Red Hat, Inc * New York

More information about the Freeipa-users mailing list