Thanks for the replies, Simo, I know the password is correct as I can kinit <user> from other linux boxes. All machines are using the same time source, and I checked the time on each machine so unfortunately it's neither of those this time round.
Dimitri, I did run through the "Configuring Windows Client" section on that web page, although I didn't install any additional software (ksetup / klist / kinit tools already installed). The client is connecting correctly as I get "Your password has expired, please change it" as a response when I login. It appears that the password change from the Windows Client fails with the "Decrypt integrity check" errors. If I change the password on a linux server when requested by kinit, I get the same Decrypt errors when trying to login to the Windows 7 client (Windows 7 Professional). I did change the local security policy to Accept all Kerberos Encryption types, except "Future encryption types". Thanks, Brett -----Original Message----- From: Simo Sorce Sent: 10 February 2011 05:33 To: Brett Maton Cc: [email protected] Subject: Re: [Freeipa-users] Freeipa Windows 7 client authentication On Wed, 9 Feb 2011 16:13:39 +0000 Brett Maton wrote: > Hi, > > I can't get a Windows 7 client to authenticate against Freeipa (ver > 2.0.0.pre2) running on Fedora 14. > > Feb 09 16:03:22 krb5kdc[32355](info): AS_REQ (7 etypes {18 17 23 3 1 > 24 -135}) 192.168.0.2: NEEDED_PREAUTH: [email protected] for > krbtgt/[email protected], Additional pre-authentication > required Feb 09 16:03:22 krb5kdc[32355](info): preauth (timestamp) > verify failure: Decrypt integrity check failed Feb 09 16:03:22 > krb5kdc[32355](info): AS_REQ (7 etypes {18 17 23 3 1 24 -135}) > 192.168.0.2: PREAUTH_FAILED: [email protected] for > krbtgt/[email protected], Decrypt integrity check failed Feb 09 > 16:03:23 krb5kdc[32355](info): preauth (timestamp) verify failure: > Decrypt integrity check failed Feb 09 16:03:23 krb5kdc[32355](info): > AS_REQ (7 etypes {18 17 23 3 1 24 -135}) 192.168.0.2: PREAUTH_FAILED: > [email protected] for krbtgt/[email protected], Decrypt > integrity check failed > > Any help with where to start looking or what might be wrong would be > greatly appreciated. Either the password is wrong or the time on your client is not within 5 min. of the time on the KDC. Simo. -- Simo Sorce * Red Hat, Inc * New York __________ Information from ESET NOD32 Antivirus, version of virus signature database 5860 (20110209) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com __________ Information from ESET NOD32 Antivirus, version of virus signature database 5860 (20110209) __________ The message was checked by ESET NOD32 Antivirus. http://www.eset.com _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
