[Freeipa-users] krb5kdc Additional pre-authentication required

Dmitri Pal dpal at redhat.com
Fri Oct 4 03:38:18 UTC 2013 

On 10/03/2013 11:15 PM, Mohan Cheema wrote:
> Hi Dmitri,
>
> Yes its solved now. It didn't work with single user mapping I had map all
> users as per the HOWTO and it worked. Initially I was trying with just one
> user mapped to ipa user which didn't worked.

Anything would be worth adding to the HOWTO based on your experience?

>
> Regards,
>
> Mohan 
>
>> -----Original Message-----
>> From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-
>> bounces at redhat.com] On Behalf Of Dmitri Pal
>> Sent: Thursday, October 03, 2013 10:06 PM
>> To: freeipa-users at redhat.com
>> Subject: Re: [Freeipa-users] krb5kdc Additional pre-authentication
>> required
>>
>> On 09/30/2013 10:59 PM, Mohan Cheema wrote:
>>>> -----Original Message-----
>>>> From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-
>>>> bounces at redhat.com] On Behalf Of Sumit Bose
>>>> Sent: Monday, September 30, 2013 3:47 PM
>>>> To: freeipa-users at redhat.com
>>>> Subject: Re: [Freeipa-users] krb5kdc Additional pre-authentication
>>>> required
>>>>
>>>> On Mon, Sep 30, 2013 at 03:20:46PM +0100, Mohan Cheema wrote:
>>>>> Hi,
>>>>>
>>>>>
>>>>>
>>>>> We are trying to authenticate from Windows machine and getting
>> below
>>>> error.
>>>>>
>>>>> --------------------
>>>>> Sep 30 14:07:34 kdc1.domain.com krb5kdc[10105](info): AS_REQ (7
>>>> etypes {18
>>>>> 17 23 3 1 24 -135}) 10.43.2.45: NEEDED_PREAUTH: user at DOMAIN.COM for
>>>>> krbtgt/DOMAIN.COM at DOMAIN.COM, Additional pre-authentication
>> required
>>>> This is expected behaviour. The client will first send the AS-REQ
>>>> without any pre-authentication data. If the server requires
>>>> pre-authentication for this principal it will return this error to
>> the
>>>> client to indicate that pre-authentication is expected.
>>>>> Sep 30 14:07:34 kdc1.domain.com krb5kdc[10105](info): AS_REQ (7
>>>> etypes {18
>>>>> 17 23 3 1 24 -135}) 10.43.2.45: ISSUE: authtime 1380550054, etypes
>>>> {rep=18
>>>>> tkt=18 ses=18}, user at DOMAIN.COM for krbtgt/DOMAIN.COM at DOMAIN.COM
>>>> In the second AS-REQ the client has included some pre-authentication
>>>> data which is accepted by the KDC and a ticket is issued to the
>> client.
>>>> HTH
>>>>
>>>> bye,
>>>> Sumit
>>>>
>>>>> Sep 30 14:07:34 kdc1.domain.com krb5kdc[10105](info): TGS_REQ (7
>>>> etypes {18
>>>>> 17 23 3 1 24 -135}) 10.43.2.45: ISSUE: authtime 1380550054, etypes
>>>> {rep=18
>>>>> tkt=23 ses=23}, user at DOMAIN.COM for host/av.domain.com at DOMAIN.COM
>>>>> --------------------
>>>>>
>>>>>
>>>>>
>>>>> We followed the instruction to integrate windows for
>> authentication.
>>>>>
>>>>>
>>>>> Windows Client: Windows server 2008 R2
>>>>>
>>>>>
>>>>>
>>>>> We are not able to figure out what the problem is.
>>>>>
>>>>>
>>>>>
>>>>> We are not using DNS server, instead we are using host file
>> entries.
>>>> DNS
>>>>> server setup is not an option for us right now.
>>>>>
>>>>>
>>>>>
>>>>> Same user can authenticate from Linux machine.
>>>>>
>>>>>
>>>>>
>>>>> Regards,
>>>>>
>>>>>
>>>>>
>>>>> Mohan Cheema
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Freeipa-users mailing list
>>>>> Freeipa-users at redhat.com
>>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>> _______________________________________________
>>>> Freeipa-users mailing list
>>>> Freeipa-users at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>> Thanks for the info Sumit.
>>>
>>> However, if ticket is issued user should be able to login to system.
>> Instead
>>> on Windows we are getting "user name or password is incorrect". Are
>> there
>>> any other setting that needs to be done so that user can login to
>> system.
>>
>>
>> This thread seems to have no follow up.
>> Was the problem solved?
>> AFAIR for Windows system to allow the authentication one really needs
>> to
>> map user to a local user.
>> There were some instructions in the HOWTO section of the IPA wiki.
>> Have you checked them?
>>
>>> Regards,
>>>
>>> Mohan
>>>
>>> _______________________________________________
>>> Freeipa-users mailing list
>>> Freeipa-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>> --
>> Thank you,
>> Dmitri Pal
>>
>> Sr. Engineering Manager for IdM portfolio
>> Red Hat Inc.
>>
>>
>> -------------------------------
>> Looking to carve out IT costs?
>> www.redhat.com/carveoutcosts/
>>
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the Freeipa-users mailing list