<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
<title></title>
</head>
<body bgcolor="#ffffff" text="#000000">
On 07/31/2011 04:44 AM, <a class="moz-txt-link-abbreviated" href="mailto:roland.kaeser@intersoft-networks.ch">roland.kaeser@intersoft-networks.ch</a> wrote:
<blockquote
cite="mid:OF0DADF7F9.816A2950-ONC12578DE.002D9CFE-C12578DE.00300064@intersoft-networks.ch"
type="cite"><font size="2" face="sans-serif">Hello</font>
<br>
<br>
<font size="2" face="sans-serif">I'm trying again to setup a pilot
freeipa
infrastructure for linux/afs servers and windows clients. So the
first
(and most hard) task is to join a "windows 7" into
freeipa/kerberos.
<br>
I already read the available documentation and setup my pilot
client with
the following parameters:<br>
<br>
ksetup /setdomain SAMPLE.CH</font>
<br>
<font size="2" face="sans-serif">ksetup /SetRealm SAMPLE.CH</font>
<br>
<font size="2" face="sans-serif">ksetup /AddKdc SAMPLE.CH
freeipa.sample.ch</font>
<br>
<font size="2" face="sans-serif">ksetup /AddKpasswd SAMPLE.CH
freeipa.sample.ch</font>
<br>
<font size="2" face="sans-serif">ksetup /SetComputerPassword
MYPASSWORDHERE</font>
<br>
<font size="2" face="sans-serif">ksetup /MapUser * *<br>
<br>
Changed the available encryption types for kerberos in
secpool.msc under
Local Policies/Security Options/Network Security/Network
Security: Configure
encryption types allowed for Kerberos to:<br>
DES_CBC_CRC,DES_CBC_MD5,RC4_HMAC_MD5,AES128_HMAC_SHA1,AES256_HMAC_SHA1,
Furter
encryption types</font>
<br>
<font size="2" face="sans-serif"><br>
Created a host principal in the freeipa webinterface and set the
OTP to
MYPASSWORDHERE.<br>
</font></blockquote>
<br>
You might be confused with this feature. This password is used with
ipa-client auto enroll so that one can join a client into the IPA
domain. The OTP is used for the authentication in this scenario.<br>
In your case you are not using the client so OTP is irrelevant. <br>
We do not test Win 7 hosts as clients but we know that in the past
some people had success with such configuration.<br>
<br>
First please search archives as there was an earlier attempt with
freeipa 2.0 earlier this year. As I recall it was successful. And
earlier attempt with 1.x was covered here:<br>
<a class="moz-txt-link-freetext" href="http://freeipa.org/page/Implementing_FreeIPA_in_a_mixed_Environment_%28Windows/Linux%29_-_Step_by_step">http://freeipa.org/page/Implementing_FreeIPA_in_a_mixed_Environment_%28Windows/Linux%29_-_Step_by_step</a><br>
<br>
<blockquote
cite="mid:OF0DADF7F9.816A2950-ONC12578DE.002D9CFE-C12578DE.00300064@intersoft-networks.ch"
type="cite"><font size="2" face="sans-serif">
<br>
The clock of the windows 7 machine is synced with the ntpd of
the freeipa
server.<br>
<br>
When I try to login I get the usual password change request
dialog on the
windows 7 client and the following krb5log entry:<br>
<br>
Jul 31 10:39:05 freeipa.sample.ch krb5kdc[6780](info):
AS_REQ
(7 etypes {18 17 23 3 1 24 -135}) 192.168.1.90: CLIENT KEY
EXPIRED: <a class="moz-txt-link-abbreviated" href="mailto:isn-roland@SAMPLE.CH">isn-roland@SAMPLE.CH</a>
for <a class="moz-txt-link-abbreviated" href="mailto:krbtgt/SAMPLE.CH@SAMPLE.CH">krbtgt/SAMPLE.CH@SAMPLE.CH</a>, Password has expired<br>
<br>
When try to change the password I get only "The username or
password
is wrong" with the following krb5log entries:<br>
<br>
Jul 31 10:39:43 freeipa.sample.ch krb5kdc[6780](info): AS_REQ
(7
etypes {18 17 23 3 1 24 -135}) 192.168.1.90: NEEDED_PREAUTH:
<a class="moz-txt-link-abbreviated" href="mailto:isn-roland@SAMPLE.CH">isn-roland@SAMPLE.CH</a>
for <a class="moz-txt-link-abbreviated" href="mailto:kadmin/changepw@SAMPLE.CH">kadmin/changepw@SAMPLE.CH</a>, Additional pre-authentication
required</font>
<br>
<font size="2" face="sans-serif"> Jul 31 10:39:43
freeipa.sample.ch
krb5kdc[6780](info): preauth (timestamp) verify failure: Decrypt
integrity
check failed</font>
<br>
<font size="2" face="sans-serif"> Jul 31 10:39:43
freeipa.sample.ch
krb5kdc[6780](info): AS_REQ (7 etypes {18 17 23 3 1 24 -135})
192.168.1.90:
PREAUTH_FAILED: <a class="moz-txt-link-abbreviated" href="mailto:isn-roland@SAMPLE.CH">isn-roland@SAMPLE.CH</a> for
<a class="moz-txt-link-abbreviated" href="mailto:kadmin/changepw@SAMPLE.CH">kadmin/changepw@SAMPLE.CH</a>, Decrypt
integrity check failed</font>
<br>
<font size="2" face="sans-serif"> Jul 31 10:39:43
freeipa.sample.ch
krb5kdc[6780](info): preauth (timestamp) verify failure: Decrypt
integrity
check failed</font>
<br>
<font size="2" face="sans-serif"> Jul 31 10:39:43
freeipa.sample.ch
krb5kdc[6780](info): AS_REQ (7 etypes {18 17 23 3 1 24 -135})
192.168.1.90:
PREAUTH_FAILED: <a class="moz-txt-link-abbreviated" href="mailto:isn-roland@SAMPLE.CH">isn-roland@SAMPLE.CH</a> for
<a class="moz-txt-link-abbreviated" href="mailto:kadmin/changepw@SAMPLE.CH">kadmin/changepw@SAMPLE.CH</a>, Decrypt
integrity check failed<br>
<br>
After long googeling and long investigation, I can't see the
issue behind
this problems. <br>
<br>
Does someone has setup a similar environment and give me some
advice to
get this up and running?<br>
<br>
Regards<br>
<br>
Roland</font>
<br>
<pre wrap="">
<fieldset class="mimeAttachmentHeader"></fieldset>
_______________________________________________
Freeipa-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Freeipa-users@redhat.com">Freeipa-users@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/freeipa-users">https://www.redhat.com/mailman/listinfo/freeipa-users</a></pre>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
<a class="moz-txt-link-abbreviated" href="http://www.redhat.com/carveoutcosts/">www.redhat.com/carveoutcosts/</a>
</pre>
</body>
</html>