[Freeipa-users] krb5kdc Additional pre-authentication required

Mohan Cheema mohan.cheema at arrkgroup.com
Fri Oct 4 03:55:41 UTC 2013 

> -----Original Message-----
> From: Dmitri Pal [mailto:dpal at redhat.com]
> Sent: Friday, October 04, 2013 4:38 AM
> To: Mohan Cheema
> Cc: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] krb5kdc Additional pre-authentication
> required
> 
> On 10/03/2013 11:15 PM, Mohan Cheema wrote:
> > Hi Dmitri,
> >
> > Yes its solved now. It didn't work with single user mapping I had map
> all
> > users as per the HOWTO and it worked. Initially I was trying with
> just one
> > user mapped to ipa user which didn't worked.
> 
> Anything would be worth adding to the HOWTO based on your experience?


I think just mentioning that one need to map all the users instead of just
single user and create only those windows user locally who will be accessing
the machine.

> 
> >
> > Regards,
> >
> > Mohan
> >
> >> -----Original Message-----
> >> From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-
> >> bounces at redhat.com] On Behalf Of Dmitri Pal
> >> Sent: Thursday, October 03, 2013 10:06 PM
> >> To: freeipa-users at redhat.com
> >> Subject: Re: [Freeipa-users] krb5kdc Additional pre-authentication
> >> required
> >>
> >> On 09/30/2013 10:59 PM, Mohan Cheema wrote:
> >>>> -----Original Message-----
> >>>> From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-
> >>>> bounces at redhat.com] On Behalf Of Sumit Bose
> >>>> Sent: Monday, September 30, 2013 3:47 PM
> >>>> To: freeipa-users at redhat.com
> >>>> Subject: Re: [Freeipa-users] krb5kdc Additional pre-authentication
> >>>> required
> >>>>
> >>>> On Mon, Sep 30, 2013 at 03:20:46PM +0100, Mohan Cheema wrote:
> >>>>> Hi,
> >>>>>
> >>>>>
> >>>>>
> >>>>> We are trying to authenticate from Windows machine and getting
> >> below
> >>>> error.
> >>>>>
> >>>>> --------------------
> >>>>> Sep 30 14:07:34 kdc1.domain.com krb5kdc[10105](info): AS_REQ (7
> >>>> etypes {18
> >>>>> 17 23 3 1 24 -135}) 10.43.2.45: NEEDED_PREAUTH: user at DOMAIN.COM
> for
> >>>>> krbtgt/DOMAIN.COM at DOMAIN.COM, Additional pre-authentication
> >> required
> >>>> This is expected behaviour. The client will first send the AS-REQ
> >>>> without any pre-authentication data. If the server requires
> >>>> pre-authentication for this principal it will return this error to
> >> the
> >>>> client to indicate that pre-authentication is expected.
> >>>>> Sep 30 14:07:34 kdc1.domain.com krb5kdc[10105](info): AS_REQ (7
> >>>> etypes {18
> >>>>> 17 23 3 1 24 -135}) 10.43.2.45: ISSUE: authtime 1380550054,
> etypes
> >>>> {rep=18
> >>>>> tkt=18 ses=18}, user at DOMAIN.COM for krbtgt/DOMAIN.COM at DOMAIN.COM
> >>>> In the second AS-REQ the client has included some pre-
> authentication
> >>>> data which is accepted by the KDC and a ticket is issued to the
> >> client.
> >>>> HTH
> >>>>
> >>>> bye,
> >>>> Sumit
> >>>>
> >>>>> Sep 30 14:07:34 kdc1.domain.com krb5kdc[10105](info): TGS_REQ (7
> >>>> etypes {18
> >>>>> 17 23 3 1 24 -135}) 10.43.2.45: ISSUE: authtime 1380550054,
> etypes
> >>>> {rep=18
> >>>>> tkt=23 ses=23}, user at DOMAIN.COM for host/av.domain.com at DOMAIN.COM
> >>>>> --------------------
> >>>>>
> >>>>>
> >>>>>
> >>>>> We followed the instruction to integrate windows for
> >> authentication.
> >>>>>
> >>>>>
> >>>>> Windows Client: Windows server 2008 R2
> >>>>>
> >>>>>
> >>>>>
> >>>>> We are not able to figure out what the problem is.
> >>>>>
> >>>>>
> >>>>>
> >>>>> We are not using DNS server, instead we are using host file
> >> entries.
> >>>> DNS
> >>>>> server setup is not an option for us right now.
> >>>>>
> >>>>>
> >>>>>
> >>>>> Same user can authenticate from Linux machine.
> >>>>>
> >>>>>
> >>>>>
> >>>>> Regards,
> >>>>>
> >>>>>
> >>>>>
> >>>>> Mohan Cheema
> >>>>>
> >>>>>
> >>>>>
> >>>>> _______________________________________________
> >>>>> Freeipa-users mailing list
> >>>>> Freeipa-users at redhat.com
> >>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
> >>>> _______________________________________________
> >>>> Freeipa-users mailing list
> >>>> Freeipa-users at redhat.com
> >>>> https://www.redhat.com/mailman/listinfo/freeipa-users
> >>> Thanks for the info Sumit.
> >>>
> >>> However, if ticket is issued user should be able to login to
> system.
> >> Instead
> >>> on Windows we are getting "user name or password is incorrect". Are
> >> there
> >>> any other setting that needs to be done so that user can login to
> >> system.
> >>
> >>
> >> This thread seems to have no follow up.
> >> Was the problem solved?
> >> AFAIR for Windows system to allow the authentication one really
> needs
> >> to
> >> map user to a local user.
> >> There were some instructions in the HOWTO section of the IPA wiki.
> >> Have you checked them?
> >>
> >>> Regards,
> >>>
> >>> Mohan
> >>>
> >>> _______________________________________________
> >>> Freeipa-users mailing list
> >>> Freeipa-users at redhat.com
> >>> https://www.redhat.com/mailman/listinfo/freeipa-users
> >>
> >> --
> >> Thank you,
> >> Dmitri Pal
> >>
> >> Sr. Engineering Manager for IdM portfolio
> >> Red Hat Inc.
> >>
> >>
> >> -------------------------------
> >> Looking to carve out IT costs?
> >> www.redhat.com/carveoutcosts/
> >>
> >>
> >>
> >> _______________________________________________
> >> Freeipa-users mailing list
> >> Freeipa-users at redhat.com
> >> https://www.redhat.com/mailman/listinfo/freeipa-users
> 
> 
> --
> Thank you,
> Dmitri Pal
> 
> Sr. Engineering Manager for IdM portfolio
> Red Hat Inc.
> 
> 
> -------------------------------
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/
> 

Regards,

Mohan

More information about the Freeipa-users mailing list