[Freeipa-users] Windows client logon
Simo Sorce
simo at redhat.com
Mon Sep 19 20:36:00 UTC 2011
On Mon, 2011-09-19 at 16:17 -0400, Jimmy wrote:
> According to this:
> http://mit.edu/kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-admin/Supported-Encryption-Types.html there are a ton of encryption options that XP does support, but I always get this error if I define anything specific in the keytab:
I know for a fact that stock WinXp supports only RC4 and DES, no 3DES
nor AAES support there.
If you create the host keytab with only RC4 you should be able to make
WinXp happy.
> Sep 19 20:09:30 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ (7 etypes
> {23 -133 -128 3 1 24 -135}) 192.168.201.150: NEEDED_PREAUTH:
> oper at PDH.CSP for krbtgt/PDH.CSP at PDH.CSP, Additional pre-authentication
> required
> Sep 19 20:09:30 csp-idm.pdh.csp krb5kdc[1246](info): AS_REQ (1 etypes
> {23}) 192.168.201.150: ISSUE: authtime 1316462970, etypes {rep=23
> tkt=18 ses=23}, oper at PDH.CSP for krbtgt/PDH.CSP at PDH.CSP
> Sep 19 20:09:31 csp-idm.pdh.csp krb5kdc[1246](info): TGS_REQ (7 etypes
> {23 -133 -128 3 1 24 -135}) 192.168.201.150: BAD_ENCRYPTION_TYPE:
> authtime 0, oper at PDH.CSP for host/crm1.pdh.csp at PDH.CSP, KDC has no
> support for encryption type
>
> There is a fix for Win7. I have a technet article I will post the link
> as soon as I can.
Yes please let me know the link, I will try to investigate any Win7/W2K8
issues with AES and random salts asap, but not this week probably.
> I had the Win7 system working with the freeipa 'admin' user before I
> changed the admin user password, now it's broken. The MIT KFW client
> can authenticate and get a ticket, but I need to get the native
> windows authentication working.
Understood.
If AES is the issue, you could reconfigure FreeIPA to not allow AES, not
ideal, but it would be the fastest solution. Although it will probably
require also to change all passwords.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-users
mailing list