I tried that but still cannot successfully log in as a IPA user. The same
system can be configured as a Kerberos client(non-IPA) defined in  MIT
Kerberos, and authenticate against MIT Kerberos. The system  uses AES when
authenticating to MIT Kerberos so those are the only encryption types I
defined manually. In the network trace for this transaction I see the error
KRB_AP_ERR_BAD_INTEGRITY (31)

Commands used(different iterations):
ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -k krb5.keytab
-P            [entering into the main keytab /etc/krb5.keytab]
ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -k
krb5.keytab.sys1 -P   [entering into a new keytab krb5.keytab.sys1]
ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e
aes256-cts-hmac-sha1-96 -k krb5.keytab -P
ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e
aes128-cts-hmac-sha1-96 -k krb5.keytab -P
ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e
aes256-cts-hmac-sha1-96 -k krb5.keytab.sys1 -P
ipa-getkeytab -s csp-idm.pdh.csp -p host/ews1-cybsec.pdh.csp -e
aes128-cts-hmac-sha1-96 -k krb5.keytab.sys1 -P

Log entries:
Sep 15 21:21:04 csp-idm.pdh.csp krb5kdc[1227](info): AS_REQ (7 etypes {18 17
23 3 1 24 -135}) 192.168.201.9: NEEDED_PREAUTH: o...@pdh.csp for
krbtgt/pdh....@pdh.csp, Additional pre-authentication required
Sep 15 21:21:04 csp-idm.pdh.csp krb5kdc[1227](info): preauth (timestamp)
verify failure: Decrypt integrity check failed
Sep 15 21:21:04 csp-idm.pdh.csp krb5kdc[1227](info): AS_REQ (7 etypes {18 17
23 3 1 24 -135}) 192.168.201.9: PREAUTH_FAILED: o...@pdh.csp for
krbtgt/pdh....@pdh.csp, Decrypt integrity check failed
Sep 15 21:21:04 csp-idm.pdh.csp krb5kdc[1227](info): preauth (timestamp)
verify failure: Decrypt integrity check failed
Sep 15 21:21:04 csp-idm.pdh.csp krb5kdc[1227](info): AS_REQ (7 etypes {18 17
23 3 1 24 -135}) 192.168.201.9: PREAUTH_FAILED: o...@pdh.csp for
krbtgt/pdh....@pdh.csp, Decrypt integrity check failed
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to