On 02/10/2011 05:30 AM, Brett Maton wrote: > Thanks for the replies, > > Simo, I know the password is correct as I can kinit <user> from other > linux boxes. > All machines are using the same time source, and I checked the time on each > machine so unfortunately it's neither of those this time round. > > Dimitri, > I did run through the "Configuring Windows Client" section on that web > page, although I didn't install any additional software (ksetup / klist / > kinit tools already installed). > > The client is connecting correctly as I get "Your password has expired, > please change it" as a response when I login. > It appears that the password change from the Windows Client fails with the > "Decrypt integrity check" errors. > If I change the password on a linux server when requested by kinit, I get > the same Decrypt errors when trying to login to the Windows 7 client > (Windows 7 Professional). > > I did change the local security policy to Accept all Kerberos Encryption > types, except "Future encryption types". > > Thanks, > Brett > > -----Original Message----- > From: Simo Sorce > Sent: 10 February 2011 05:33 > To: Brett Maton > Cc: freeipa-users@redhat.com > Subject: Re: [Freeipa-users] Freeipa Windows 7 client authentication > > On Wed, 9 Feb 2011 16:13:39 +0000 > Brett Maton wrote: > >> Hi, >> >> I can't get a Windows 7 client to authenticate against Freeipa (ver >> 2.0.0.pre2) running on Fedora 14. >> >> Feb 09 16:03:22 krb5kdc[32355](info): AS_REQ (7 etypes {18 17 23 3 1 >> 24 -135}) 192.168.0.2: NEEDED_PREAUTH: mat...@example.com for >> krbtgt/example....@example.com, Additional pre-authentication >> required Feb 09 16:03:22 krb5kdc[32355](info): preauth (timestamp) >> verify failure: Decrypt integrity check failed Feb 09 16:03:22 >> krb5kdc[32355](info): AS_REQ (7 etypes {18 17 23 3 1 24 -135}) >> 192.168.0.2: PREAUTH_FAILED: mat...@example.com for >> krbtgt/example....@example.com, Decrypt integrity check failed Feb 09 >> 16:03:23 krb5kdc[32355](info): preauth (timestamp) verify failure: >> Decrypt integrity check failed Feb 09 16:03:23 krb5kdc[32355](info): >> AS_REQ (7 etypes {18 17 23 3 1 24 -135}) 192.168.0.2: PREAUTH_FAILED: >> mat...@example.com for krbtgt/example....@example.com, Decrypt >> integrity check failed >> >> Any help with where to start looking or what might be wrong would be >> greatly appreciated. > Either the password is wrong or the time on your client is not within 5 > min. of the time on the KDC. > > Simo. > Can you please log a bug then and we will try to check this scenario? You might be the first person who tries this scenario and something can be wrong on either side. I am not sure we would be able to jump on this right away but the bug would at least give us a way to get to it in due time.
-- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users