On Fri, 2011-09-16 at 17:24 -0400, Jimmy wrote: > This was installed using yum. I need to be able to authenticate users > against Kerberos from a Windows client machine and it fails at login > saying the username/password is incorrect. The krb5kdc.log shows: > > > > Sep 16 20:53:32 csp-idm.pdh.csp krb5kdc[1227](info): AS_REQ (7 etypes > {18 17 23 3 1 24 -135}) 192.168.201.9: NEEDED_PREAUTH: o...@pdh.csp > for krbtgt/pdh....@pdh.csp, Additional pre-authentication required > Sep 16 20:53:32 csp-idm.pdh.csp krb5kdc[1227](info): preauth > (timestamp) verify failure: Decrypt integrity check failed > Sep 16 20:53:32 csp-idm.pdh.csp krb5kdc[1227](info): AS_REQ (7 etypes > {18 17 23 3 1 24 -135}) 192.168.201.9: PREAUTH_FAILED: o...@pdh.csp > for krbtgt/pdh....@pdh.csp, Decrypt integrity check failed > Sep 16 20:53:32 csp-idm.pdh.csp krb5kdc[1227](info): preauth > (timestamp) verify failure: Decrypt integrity check failed > Sep 16 20:53:32 csp-idm.pdh.csp krb5kdc[1227](info): AS_REQ (7 etypes > {18 17 23 3 1 24 -135}) 192.168.201.9: PREAUTH_FAILED: o...@pdh.csp > for krbtgt/pdh....@pdh.csp, Decrypt integrity check failed
These logs say that either the password is wrong, or the clock on your windows client is way off (more than 5 min. skew) wrt the ipa server. > > I know the user's password I'm using is correct because I can kinit > with that username/password on the IPA server. I used the > ipa-getkeytab to set the machine password, but I'm not sure that it's > doing what I would normally do in a stand alone MIT Kerberos server > using kadmin. Using ksetup on the windows7 client I can reconfigure > for a couple different realms and authentication works just fine, but > I'm missing something on the IPA config that would allow the same > authentication. The reason to have a "password" (windows) or a keytab (unix) for the machine is to be able to validate the account against a possible rouge KDC+attacker at login prompt pair. But you are not even getting to the validation step as you are failing to get a TGT for the user in the first place. If the user password is right and your Freeipa REALM name is indeed PDH.CSP then it is probably clock skew. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users