Hello I'm trying again to setup a pilot freeipa infrastructure for linux/afs servers and windows clients. So the first (and most hard) task is to join a "windows 7" into freeipa/kerberos. I already read the available documentation and setup my pilot client with the following parameters:
ksetup /setdomain SAMPLE.CH ksetup /SetRealm SAMPLE.CH ksetup /AddKdc SAMPLE.CH freeipa.sample.ch ksetup /AddKpasswd SAMPLE.CH freeipa.sample.ch ksetup /SetComputerPassword MYPASSWORDHERE ksetup /MapUser * * Changed the available encryption types for kerberos in secpool.msc under Local Policies/Security Options/Network Security/Network Security: Configure encryption types allowed for Kerberos to: DES_CBC_CRC,DES_CBC_MD5,RC4_HMAC_MD5,AES128_HMAC_SHA1,AES256_HMAC_SHA1, Furter encryption types Created a host principal in the freeipa webinterface and set the OTP to MYPASSWORDHERE. The clock of the windows 7 machine is synced with the ntpd of the freeipa server. When I try to login I get the usual password change request dialog on the windows 7 client and the following krb5log entry: Jul 31 10:39:05 freeipa.sample.ch krb5kdc[6780](info): AS_REQ (7 etypes {18 17 23 3 1 24 -135}) 192.168.1.90: CLIENT KEY EXPIRED: isn-rol...@sample.ch for krbtgt/sample...@sample.ch, Password has expired When try to change the password I get only "The username or password is wrong" with the following krb5log entries: Jul 31 10:39:43 freeipa.sample.ch krb5kdc[6780](info): AS_REQ (7 etypes {18 17 23 3 1 24 -135}) 192.168.1.90: NEEDED_PREAUTH: isn-rol...@sample.ch for kadmin/chang...@sample.ch, Additional pre-authentication required Jul 31 10:39:43 freeipa.sample.ch krb5kdc[6780](info): preauth (timestamp) verify failure: Decrypt integrity check failed Jul 31 10:39:43 freeipa.sample.ch krb5kdc[6780](info): AS_REQ (7 etypes {18 17 23 3 1 24 -135}) 192.168.1.90: PREAUTH_FAILED: isn-rol...@sample.ch for kadmin/chang...@sample.ch, Decrypt integrity check failed Jul 31 10:39:43 freeipa.sample.ch krb5kdc[6780](info): preauth (timestamp) verify failure: Decrypt integrity check failed Jul 31 10:39:43 freeipa.sample.ch krb5kdc[6780](info): AS_REQ (7 etypes {18 17 23 3 1 24 -135}) 192.168.1.90: PREAUTH_FAILED: isn-rol...@sample.ch for kadmin/chang...@sample.ch, Decrypt integrity check failed After long googeling and long investigation, I can't see the issue behind this problems. Does someone has setup a similar environment and give me some advice to get this up and running? Regards Roland
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users