<div>I have verified that the password set for the workstation in the kerberos host principal(using ipa-getkeytab) and the password on the host (using ksetup) are the same. I'm still getting the " Decrypt integrity check failed" errors. I have also verified that the system clock is accurate on both the KDC and the workstation. What else could be causing this? As I have said, this system authenticates flawlessly against other KDC's I have set up.<br>
</div><div>Jimmy</div><br><div class="gmail_quote">On Fri, Sep 16, 2011 at 5:55 PM, Simo Sorce <span dir="ltr"><<a href="mailto:simo@redhat.com">simo@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div class="im">On Fri, 2011-09-16 at 17:24 -0400, Jimmy wrote:<br>
> This was installed using yum. I need to be able to authenticate users<br>
> against Kerberos from a Windows client machine and it fails at login<br>
> saying the username/password is incorrect. The krb5kdc.log shows:<br>
><br>
><br>
><br>
> Sep 16 20:53:32 csp-idm.pdh.csp krb5kdc[1227](info): AS_REQ (7 etypes<br>
> {18 17 23 3 1 24 -135}) <a href="http://192.168.201.9" target="_blank">192.168.201.9</a>: NEEDED_PREAUTH: oper@PDH.CSP<br>
> for krbtgt/PDH.CSP@PDH.CSP, Additional pre-authentication required<br>
> Sep 16 20:53:32 csp-idm.pdh.csp krb5kdc[1227](info): preauth<br>
> (timestamp) verify failure: Decrypt integrity check failed<br>
> Sep 16 20:53:32 csp-idm.pdh.csp krb5kdc[1227](info): AS_REQ (7 etypes<br>
> {18 17 23 3 1 24 -135}) <a href="http://192.168.201.9" target="_blank">192.168.201.9</a>: PREAUTH_FAILED: oper@PDH.CSP<br>
> for krbtgt/PDH.CSP@PDH.CSP, Decrypt integrity check failed<br>
> Sep 16 20:53:32 csp-idm.pdh.csp krb5kdc[1227](info): preauth<br>
> (timestamp) verify failure: Decrypt integrity check failed<br>
> Sep 16 20:53:32 csp-idm.pdh.csp krb5kdc[1227](info): AS_REQ (7 etypes<br>
> {18 17 23 3 1 24 -135}) <a href="http://192.168.201.9" target="_blank">192.168.201.9</a>: PREAUTH_FAILED: oper@PDH.CSP<br>
> for krbtgt/PDH.CSP@PDH.CSP, Decrypt integrity check failed<br>
<br>
<br>
</div>These logs say that either the password is wrong, or the clock on your<br>
windows client is way off (more than 5 min. skew) wrt the ipa server.<br>
<div class="im">><br>
> I know the user's password I'm using is correct because I can kinit<br>
> with that username/password on the IPA server. I used the<br>
> ipa-getkeytab to set the machine password, but I'm not sure that it's<br>
> doing what I would normally do in a stand alone MIT Kerberos server<br>
> using kadmin. Using ksetup on the windows7 client I can reconfigure<br>
> for a couple different realms and authentication works just fine, but<br>
> I'm missing something on the IPA config that would allow the same<br>
> authentication.<br>
<br>
</div>The reason to have a "password" (windows) or a keytab (unix) for the<br>
machine is to be able to validate the account against a possible rouge<br>
KDC+attacker at login prompt pair.<br>
<br>
But you are not even getting to the validation step as you are failing<br>
to get a TGT for the user in the first place.<br>
<br>
If the user password is right and your Freeipa REALM name is indeed<br>
PDH.CSP then it is probably clock skew.<br>
<div><div class="h5"><br>
Simo.<br>
<br>
--<br>
Simo Sorce * Red Hat, Inc * New York<br>
<br>
</div></div></blockquote></div><br>