Thanks for the replies,

  Simo, I know the password is correct as I can kinit <user> from other
linux boxes.
All machines are using the same time source, and I checked the time on each
machine so unfortunately it's neither of those this time round.

Dimitri,
  I did run through the "Configuring Windows Client" section on that web
page, although I didn't install any additional software (ksetup / klist /
kinit tools already installed).

The client is connecting correctly as I get "Your password has expired,
please change it" as a response when I login.
It appears that the password change from the Windows Client fails with the
"Decrypt integrity check" errors.
If I change the password on a linux server when requested by kinit, I get
the same Decrypt errors when trying to login to the Windows 7 client
(Windows 7 Professional).

I did change the local security policy to Accept all Kerberos Encryption
types, except "Future encryption types".

Thanks,
Brett

-----Original Message-----
From: Simo Sorce 
Sent: 10 February 2011 05:33
To: Brett Maton
Cc: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] Freeipa Windows 7 client authentication

On Wed, 9 Feb 2011 16:13:39 +0000
Brett Maton wrote:

> Hi,
> 
>   I can't get a Windows 7 client to authenticate against Freeipa (ver
> 2.0.0.pre2) running on Fedora 14.
> 
> Feb 09 16:03:22 krb5kdc[32355](info): AS_REQ (7 etypes {18 17 23 3 1
> 24 -135}) 192.168.0.2: NEEDED_PREAUTH: mat...@example.com for
> krbtgt/example....@example.com, Additional pre-authentication
> required Feb 09 16:03:22 krb5kdc[32355](info): preauth (timestamp)
> verify failure: Decrypt integrity check failed Feb 09 16:03:22
> krb5kdc[32355](info): AS_REQ (7 etypes {18 17 23 3 1 24 -135})
> 192.168.0.2: PREAUTH_FAILED: mat...@example.com for
> krbtgt/example....@example.com, Decrypt integrity check failed Feb 09
> 16:03:23 krb5kdc[32355](info): preauth (timestamp) verify failure:
> Decrypt integrity check failed Feb 09 16:03:23 krb5kdc[32355](info):
> AS_REQ (7 etypes {18 17 23 3 1 24 -135}) 192.168.0.2: PREAUTH_FAILED:
> mat...@example.com for krbtgt/example....@example.com, Decrypt
> integrity check failed
> 
> Any help with where to start looking or what might be wrong would be
> greatly appreciated.

Either the password is wrong or the time on your client is not within 5
min. of the time on the KDC.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York
 

__________ Information from ESET NOD32 Antivirus, version of virus signature
database 5860 (20110209) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com
 
 

__________ Information from ESET NOD32 Antivirus, version of virus signature
database 5860 (20110209) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com
 

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to